HSE says it had no choice but to pay €1.1m extra for IT security support
The HSE has defended being stuck with a €1.1m Microsoft bill for missing a key security upgrade deadline, saying that it represented the best option under the circumstances.
The health service was responding to an Irish Independent article which revealed it faces a hefty bill for not having its PCs and laptops ready before Microsoft discontinues security support for its obsolete Windows 7 system next Tuesday.
The January 14 deadline had been flagged for five years, from the time the tech giant launched its Windows 10 system. Microsoft offers an 'extended support' service to allow those who haven't upgraded to avail of critical security patches aimed at preventing hackers gaining access to non-upgraded PCs.
"Negotiations were carried out with Microsoft in order to achieve the best value for money for this service," said the HSE statement. "The cost is approximately €1.1m."
Please log in or register with Independent.ie for free access to this article.
The HSE said that it has 46,000 Windows 7 computers still operating on its network, out of a total of 58,000 computers. It said that it would spend €13.5m this year replacing and upgrading PCs, with €1.1m earmarked for the special 'extended support' payments to Microsoft.
However, the body's chief information officer Fran Thompson told the Irish Independent that the size and complexity of the HSE meant that it was "never" going to be able to meet the January 2020 deadline, even with several years' notice and three times the HSE's 320 IT staff.
"You're trying to balance risk, finance and service," he said. "You have to make sure that systems are tested correctly and that services aren't interrupted. In some cases that means taking systems away from staff to test."
He said that 12,000 of the 46,000 machines "cannot be replaced" until radiology information systems are upgraded in 2021.
Mr Thompson said that he expects "the bulk" of the HSE's remaining 46,000 PCs and laptops to be upgraded to Windows 10 this year.
However, this means that the organisation will have to strike a new 'extended support' fee programme with Microsoft in 2021 for any outstanding machines. Mr Thompson said that this would be "an awful lot smaller" than the €1.1m budgeted for 2020.
"The HSE Windows 10 programme started in late 2017," said an HSE statement. "In 2018, the testing and validation of our 650 different applications started. The validation of off-the-shelf applications is straightforward. However, the HSE, like all other health services internationally, has many health-specific applications which require extensive testing and validation to ensure that they continue to perform as expected."
Three years ago, the HSE had to shut off its systems from outside communication because the WannaCry ransomware virus threatened a number of its PCs connected to Windows XP, an older unsupported system. The same virus crippled UK hospitals.
According to figures released from a parliamentary question from Labour TD Alan Kelly, the Department of Employment and Social Affairs has 11,000 PCs still using Windows 7, while the Department of Justice has 3,700.