'The cost is approximately €1.1m' - HSE give details of Microsoft bill
The HSE will spend €1.1m in premium extended IT support fees to Microsoft this year, the health service has said, with a smaller level of fees due in 2021.
The HSE was responding after Independent.ie revealed that the body faces a hefty bill for not having its PCs and laptops upgraded to a safe and secure version of Windows in time for a deadline next week.
Microsoft’s obsolete Windows 7 operating system will be cut off from security support worldwide next week, a deadline that has been flagged for five years. The company offers an ‘extended support’ service to allow those who haven’t upgraded to avail of critical security patches.
“Negotiations were carried out with Microsoft in order to achieve the best value for money for this service,” said the HSE statement. “The cost is approximately €1.1m.”
In a detailed response, the HSE said that it has 46,000 Windows 7 computers still operating on its network, out of a total of 58,000 computers.
It said that it would spend €13.5m this year replacing and upgrading PCs this year, with €1.1m earmarked for the special ‘extended support’ payments to Microsoft due to not making the pre-existing security shutoff deadline.
However, HSE chief information officer Fran Thompson told the Irish Independent that the size and complexity of the HSE meant that it was “never” going to be able to meet the January 2020 deadline, even with several years’ notice.
He said that extending the support to the outdated Windows 7 operating system at an agreed cost of €1.1m with Microsoft represented the best use of the organisation’s budget compared to alternative solutions.
He added that 12,000 of the 46,000 machines “cannot be replaced” until radiology information systems are upgraded in 2021.
“The HSE Windows 10 program started in late 2017,” said an HSE statement. “In 2018, the testing and validation of our 650 different applications started. The validation of off-the-shelf applications is straightforward. However, the HSE, like all other health services internationally, has many health-specific applications which require extensive testing and validation to ensure that they continue to perform as expected.”
Three years ago, the HSE had to shut off its systems from outside communication because thje Wannacry ransomware virus threatened a number of its PCs connected to Windows XP, an older unsupported system. The same virus crippled UK hospitals, forcing some into paying over hundreds of thousands of pounds to criminal attackers who gained control over the computer systems.
Other state bodies are also stuck with Windows 7 computers.
According to figures released from a parliamentary question from Labour TD Alan Kelly, the Department of Employment and Social Affairs has 11,000 PCs still using Windows 7, while the Department of Justice has 3,700. Both departments host sensitive data on citizens.
“The HSE has over 6,000 locations nationally which have Windows 7 devices,” said the HSE statement. “The makes the size and scale of the upgrade logistically and technically challenging. The initial deployment of Windows 10 devices was slow and methodical to ensue that patient care would not be compromised by the upgrade.”
The HSE replaces 5,500 desktops and 2,000 laptops every year, which amounts to 13pc of its devices. Its annual budget for this is €6m, but it will bring forward next year’s allocation to fast forward the upgrades this year.
Mr Thompson said that he expects the bulk of the 46,000 PCs and laptops to be upgraded to Windows 10 this year.
However, this means that it will have to agree a new ‘extended support’ fee program with Microsoft in 2021. Mr Thompson said that this would be “an awful lot smaller” than the €1.1m budgeted for 2020.
“The HSE has the largest estate of devices in the state and management of these takes considerable resources,” said the HSE statement.
“The bulk of our Windows 7 devices will be replaced during 2020. The HSE is a layered system of security to mitigate cybersecurity risk, This includes perimeter security, software updating, real time monitoring of assets, mobile devices security and endpoint encryption. Given the continued threat of cybersecurity, the HSE will continue to invest in cybersecurity tools and education of staff to help minimise the ever-changing threat.”