HSE at 'ongoing risk' to cyberattack with gas sector 'vulnerable', says EU cyber agency
European cyber bosses are flagging ongoing risks to the health sector because of old computer systems, complex supply chains, and poorly secured medical devices.The EU cyber agency, ENISA, cites the crippling cyberattack on the HSE in 2021 as an example of the “potentially devastating impact” of cyberattacks on healthcare services.In a new report, the agency also warns of cybersecurity risks in the gas sector, identifying “insufficient” preparedness and response to cyber incidents.Ireland is hugely reliant on gas for its energy and heating systems and imports the bulk of it through digitally-controlled pipelines from Britain, which in turn, are supplied via pipelines from Norway.The ENISA report said telecoms, electricity, core internet and cloud and data centres “are the four most critical sectors for the economy and society”. It said incidents in these sectors have “immediate and severe impacts”, pointing out that they all rely heavily on digital technologies.“The electricity subsector ranks highest [in terms of criticality], as a significant incident would have immediate impacts due to its central role in daily life and interdependencies with critical sectors like telecoms and transportation, potentially causing cascading effects,” the report said.ENISA did say that the level of cyber security is most mature in the high-risk areas of banking, electricity and telecoms.The report assesses the standard of cybersecurity in critical sectors in light of the EU NIS2 Directive, which member states had to transpose into national law by last October. This EU cyber law significantly expanded, to 18, the number of sectors deemed critical for cyber security protection.Healthcare sector It ranked the healthcare sector as providing a “moderate” level of cyber security protection, which is in part because it includes smaller health entities that “often struggle even with basic cyber hygiene”.It said: "Additionally, the sector’s reliance on complex supply chains as well as its dependence on legacy systems and inadequately secured medical devices, further exacerbates the situation.” The report said ransomware attacks can incur “substantial costs” and referred to the HSE cyber attack in 2021.Irish figures show that the immediate financial cost to the State from the HSE cyber attack was €102m, in 2021 alone. The State made an allocation of €55m in 2024 to enhance HSE cyber security.
In September 2022, the Comptroller and Auditor General (C&AG) estimated that almost €660m would need to be spent over seven years to bring the HSE’s cyber security up to standard.In addition, the HSE identified over 90,000 people whose personal health information was accessed by the cyber gang, a Russian-based outfit. It is estimated that over 473 cases are being taken in the courts by individuals.ENISA said that the European Commission had recently published an action plan to strengthen cybersecurity at hospitals and healthcare providers.In relation to the gas sector, the report said that because it was reliant on digital systems for control and its interconnectedness with industries like electricity and manufacturing it was “vulnerable to cyberattacks” which it said could potentially cause “widespread economic impacts”.
Comments (0)