Recent Cyberattack and its Impact on the Health System: Statements

My Department hosts the National Cyber Security Centre, NCSC, which was established by Government decision. It is the central cybersecurity incident response unit for the State, with a broad remit across the cybersecurity of government ICT and critical national infrastructure. The NCSC acts as a central contact point in the event of a government or nationwide cybersecurity incident affecting the State. It also provides expert advice and analysis on cybersecurity issues and is involved in co-ordinating and supporting the response to significant incidents, with a lead role being taken by the entity affected by the incident.

Information sharing is a key component of the work of the NCSC, whereby it acts as a source of expert advice and guidance, but also as a clearing house for information. That is to say, it takes in threat intelligence data, trends and risks data from national, global and local sources, analyses them and makes sure those people who need those data get them, either to protect their systems or to assist them in carrying out their statutory roles.

The NCSC team comprises highly skilled specialist technical civilian staff, with skill sets in areas such as computer science, software engineering, malware analysis, information technology forensics, cryptography, software development and cybersecurity compliance, as well as general cybersecurity skills. The computer security incident response team, CSIRT, is the team within the NCSC that leads in response to cybersecurity incidents. The CSIRT of the NCSC is designated as the national CSIRT by Government decision and under the EU network and information security directive. The CSIRT has international accreditation and is the team that is notified by constituent organisations of an incident or a suspected incident. It is this team that engages with the affected body to support it in addressing the threat.

Early on the morning of Friday, 14 May, the NCSC became aware of a significant incident affecting the HSE network. Initial reports indicated a human-operated Conti ransomware incident that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems. The NCSC activated its crisis response procedures and made contact with a major international cyber incident response company which was engaged by the HSE early on Friday morning and began immediately to determine the nature and extent of the incident.

Throughout the past four days, the Minister of State, Deputy Ossian Smyth, and I have been in daily contact with my officials in the NCSC. I was also in regular contact throughout the weekend with the Taoiseach, the Tánaiste, the Minister for Health, Deputy Donnelly, and the Minister for Justice, Deputy Humphreys, as well as Mr. Paul Reid, chief executive officer of the HSE.

In addition, yesterday afternoon An Taoiseach, the Tánaiste, the Ministers for Justice and Health, the Minister of State, Deputy Smyth, and I met to be briefed by the NCSC and the HSE and to discuss the ongoing impact of the cyber incident on the HSE. The NCSC provided a detailed briefing on the incident, technical responses that have been deployed and the ongoing work to recover the IT systems of the HSE, prevent further damage and, very importantly, support the restoration of healthcare services.

A determined and methodical approach has been adopted to resolving the impact of this incident. I understand that all necessary resources and personnel are engaged in support of the HSE. In the coming days, the NCSC will continue to work in close co-operation with the HSE, An Garda Síochána, the Government chief information officer and a specialist cybersecurity contractor. The Minister for Health has already provided information on the measures being implemented to ensure continuity of services during this period.

The NCSC is also supporting the Department of Health in implementing its response plan to a cyberattack late last week, including the suspension of some functions of the IT system of the Department as a precautionary measure. As regards the incident in the Department of Health, the NCSC was notified by the information security team in the Department on the afternoon of Thursday, 13 May, of suspected malicious activity on its network. The NCSC engaged immediately with the Department and, recognising there were indicators of an attempted cyberattack, advised the Department to implement its crisis response plan and to engage a specialist incident response team, which it did on Thursday evening. Throughout Thursday night, the NCSC and the third-party contractors worked closely with the Department to investigate the incident and begin the recovery process.

The NCSC has provided specific advice and guidance to its constituents throughout the weekend based on its analysis of the incident in the health sector.

The NCSC has more than 160 constituents, which includes Departments and operators of essential services. An initial advisory notice was circulated on Friday and an updated advisory was issued by the NCSC on Sunday. In addition, on Sunday, staff at the NCSE were in direct contact with operators of critical national infrastructure, including other bodies within the health sector, to ensure they had received the advisory notices and were implementing appropriate measures to protect their systems.

Yesterday, the NCSC hosted online briefing sessions to answer questions from all its constituents. The feedback from these sessions has been very positive. The NCSC will continue to provide advice and guidance throughout the coming days and its advice will be updated when the malware deployed in the cyber incidents on the HSE and the Department of Health has been further analysed. In addition to the specific guidance issued to its constituents, the NCSC has published on its website general information about these cyber incidents with some limited detail on the malware.

As Deputies will appreciate this is very much a live incident, so it is necessary to limit the circulation of sensitive operational information at this time. I encourage IT managers in all businesses and voluntary organisations to review this guidance and consider what steps might need to be implemented to further enhance the security of their systems.

In conclusion, I assure the House that my Department, through the National Cyber Security Centre, will continue to exert its considerable technical capacity in support of the HSE at this time. It will continue to share any learning from this incident with the constituent organisations across the public and private sector to assist those organisations in ensuring the resilience of their cybersecurity.

I thank the Acting Chairman for the opportunity to update the House on the impact of the cyberattack on our health services. Last week, the State was subject to a sophisticated ransomware attack. Information communication technology, ICT, infrastructure at the Department of Health and the HSE, including national and local IT systems, were the subject of a serious and malicious cybersecurity incident in the early hours of last Friday. The systems in my Department and the HSE were shut down immediately with the objective of containing the attack. Since that time, both organisations have been working to analyse the extent of the attacks, which includes working closely with the National Cyber Security Centre and State agencies, including An Garda Síochána and the Defence Forces, in order to resolve the situation in a planned and structured manner.

This is having a profound effect on patients across the country. Like many in the House, I have listened to some of the testimony from those directly affected. Jill Byrne, mother of Cian, who has Down's syndrome, outlined on RTÉ earlier today the many appointments scheduled for Cian this week, all of which have now been cancelled. Like Cian, for many patients and families these appointments have been long awaited. Others have had treatment for serious illnesses postponed. Donna-Marie Cullen described how she was due to complete her radiation treatment for cancer at the end of May and now faces delays to that course of treatment. We can only imagine the anxiety this is causing her, others in the same position and their families at this time.

The HSE and the Department are prioritising the restoration of services with teams working around the clock to resolve the situation through a planned, structured response, under the direction of a HSE national co-ordination centre. This involves the assessment and recovery of approximately 2,000 IT patient-facing systems, each supported by infrastructure, multiple servers and devices. In addition, there are approximately 80,000 HSE devices which need to be checked. This is being carried out in a methodical process of cleaning, restoring and bringing back online while managing the risk of reinfection.

The HSE is prioritising those patients most in need of urgent care. In particular, every effort is being made to maintain cancer services, with a particular focus on urgent and time-sensitive cases. Unfortunately, radiotherapy services are particularly impacted. Medical oncology is continuing, with some delay due to manual recording in administrative processes. Plans are being developed to relocate some of these services to private hospitals on a temporary basis.

Patients and clinical teams at acute hospitals are experiencing increased turnaround time for laboratory tests and difficulty in accessing patient information history, which is a matter of concern. A significant number of outpatient appointments have been cancelled. Most community health services such as disability, mental health, primary care and older people services are operating as normal. However, I am advised that some delays and cancellations can be expected. This is especially the case in dental, orthodontics, ophthalmology and audiology services. Any appointments that cannot go ahead will be rescheduled as soon as possible.

Emergency departments are open and operating. However, patient flow is impacted in all areas due to reduced laboratory and radiology capacity and, of course, reduced access to patient records. If a patient is acutely unwell or seriously injured, they should attend an emergency department. We also have injury units and GP out-of-hours for people to access.

The HSE continues to provide updates on the provision of its services, including hospital appointments, emergencies, community health services, radiation therapy, screening services, sexual assault treatment units, counselling services and, of course, Covid-19 vaccine and testing updates at hse.ie. This is where patients can access the most up-to-date information as it is changing all the time.

Access to ICT continues to be severely restricted. This means officials of both the HSE and the Department of Health do not have access to email and the other information systems required to carry out day-to-day work. As a consequence, it is not currently possible for my Department to meet all its Oireachtas obligations. I thank all colleagues for their understanding in respect of the challenges we face in meeting our Oireachtas obligations, including parliamentary questions.

The criminals behind this assault are utterly contemptible, but Ireland is not alone in facing cyberattacks. These criminals deliberately target critical infrastructure. Unfortunately, healthcare is a real target of cybercrime at the moment, due to the high value of health data and the criticality of health services. As the European Union Agency for Cybersecurity has pointed out, malicious criminals have introduced more advanced phishing campaigns and ransomware attacks since the onset of the pandemic. We will overcome the effects of this assault on our public health system and I reassure colleagues we are doing all we can to ensure we resume services as quickly and safely as possible.

As the Ministers know, I prefer to use my time to ask questions. I join both Ministers, especially the Minister for Health, in stating that those responsible for this attack are utterly contemptible. They have brought many elements of our health services to a standstill at a very critical and crucial time when, because of the Covid pandemic, many elements of healthcare were paused or suspended. The latest National Treatment Purchase Fund figures for wait times showed that just under 900,000 people in this State are on some form of health waiting list. We can see that in the radiology treatment, radiotherapy treatment, laboratory testing, dental, orthodontics, ophthalmology, audiology and other services which are deeply affected. It has an impact on patients. I wish all those who are trying to deal with this issue and get the systems back on track the very best. We all hope that will happen as quickly as possible.

I will put my first questions to the Minister for the Environment, Climate and Communications. I have some questions for the Minister for Health about services. It can be argued that, on cybersecurity, we took our eye off the ball. Many risk assessments over the years pointed out that there was a real difficulty and threat in relation to cybersecurity and a need for more investment. Is it the case that the National Cyber Security Centre only has a budget of €5 million, just 29 staff and the director's post is, as of yet, still not filled?

There is a clear recognition in Government and in this House of the importance of cybersecurity in all our lives.

It is our lives that are affected when a breach like this occurs. The changes to reflect that have been significant in recent years. The last time I was Minister with responsibility for communications, ten years ago, there was one person effectively working part time on the same basis. There are now 29 people.

I asked a specific question about that centre in terms of the number of staff, annual funding and whether the director's position is filled.

The staff provision is 29. The funding is closer to €7 million, not €5 million, including non-pay items. That amount tripled in this year's budget, reflecting the priority this Government gives it. We have a top quality team. I cannot say enough about the skills and public service they provide. However, they are not alone. The key resource in the State, which it is the role of the NCSC to support, are the teams in every Department. There are hundreds of individuals in every Department whose responsibility is cybersecurity. The NCSC supports and advises, but it is part of a wider team we have deployed in this instance and every day.

Much more investment needs to be made. Many security experts will say we are chronically under-resourced and underfunded in relation to cybersecurity, in terms of our Defence Forces and the NCSC. The Minister said the centre became aware on 14 May of a major attack. Could the hackers have gained access to the system weeks before that date? Can he confirm if that was the case?

We have to be careful not to speculate. We can only know the full details and full diagnosis of what happened after the extensive research the NCSC, the Department of Health and the international contractors do. It is likely the hackers were not just in the HSE on that particular day, but had spent a period of time in the system. These attacks are prepared in detail and at length in advance and often require a significant period where people gain access and then enhance their position within the network. The exact days or times are things we will discover as we do the full research.

I ask the Minister for Health who provides cybersecurity to the HSE and the Department. Is it all in-house, does it come from elsewhere or is it a combination? How much is spent by the HSE on cybersecurity annually?

The HSE and the Department have their own in-house ICT teams. The HSE has partners and there is back-up from the NCSC. For example, on Thursday, when the Department of Health spotted suspicious activity, the Department's IT team contacted the centre and took advice from the centre on how to respond.

I appreciate both Ministers will be learning information all of the time. The objective has to be to restore all the systems and a large volume of work has been done. However, there are questions we have to put and the public will be concerned about this attack. I have to put questions about what information these hackers might have. Can the Minister say whether they have sensitive information on patients? Do they have information on staff, including PPS numbers? Have they access to other administrative data? Is it known if they have information in any or all of these three areas?

Apologies, I did not answer the Deputy's other question on IT spent. I will do so quickly. The HSE spend in 2019 was €130 million; last year, it was €145 million. We have allocated a significant increase this year to €203 million. I am sure he will welcome the fact that in this year's national service plan, I allocated funding to almost double the ICT staff. From a base staff of 400, an increase of 358 has been added.

On the question concerning sensitive patient information, the latest briefing I got alluded to files put up online that were heavily redacted. At the time of the briefing, there had not been verification as to whether these were genuine files. My understanding from the briefing was that criminal organisations will use false records to try to extract funding.

On the important question the Deputy asked about the potential extent of the data that have been downloaded, the security experts are working server by server to come up with a detailed briefing on exactly that.

I appreciate the point the Minister made that criminal gangs may present themselves as having more information than they actually have. At this point, is it unknown precisely what information they have? Is the Minister saying the information they have on patients, staff and general administration is unknown? Is it unknown or is it possible they have such information?

The answer is both. It will take time for the security experts to give us a full view across the systems as to exactly what information is available. Is it possible that sensitive information has been successfully downloaded? Unfortunately, it is.

I will ask the Minister about computers used by the HSE. The last time I saw Windows 7, I was in my 30s. I am 46 now and yet we are told many computers the HSE and the Department of Health use operate on Windows 7. Is that the case? Does the Minister have information as to how many computers operate on that system? It has been the case for many years and the Minister, when in opposition, raised some of these issues in respect of integral radiology equipment running on antiquated software. There are CT scanners and many pieces of equipment operating from software that is out of date and not fit for purpose. Does the Minister have information to hand as to how many computers in the Department of Health and the HSE use Windows 7?

No. There are 80,000 such devices and a full audit is going on at the moment. If the HSE has that information already, which it may, I will seek to have it provided to the Deputy.

It has been reported there are tens of thousands. Surely the HSE knows exactly how many computers operate with Windows 7. Surely the Minister has been given that information before he came here today, given that it is in the public domain.

It may well, and I will ask for that information to be provided for the Deputy.

I refer to the organisational capacity review undertaken by the external consultants for the NCSC last year. When are we likely to see the report on that and the draft recommendations? We had a disappointing private meeting of the transport committee earlier, where we could ask questions but not receive any answers. We understand this is a live issue and there are concerns, so we were respectful of that but the resourcing of this branch of government has been the subject of much debate prior to this ransomware attack. It would be interesting to know what work the Ministers had done on this prior to the attack.

Can they give any commitments to the workers in the HSE regarding them getting paid this week and the systems the payroll is on? What volume of attacks have been taking place that we are unaware of in the past two or three years? This is a status-red, high-level attack causing significant damage but how persistent have the attacks been and what level have they been? Has it been flagged that this would happen to such a degree? Are there any measures the Ministers believe could have been taken to flag it earlier and prevent it, given that the resourcing of the NCSC has not been to the required level?

I will answer this as the NCSC has come under my remit in the recent past.

The first question was about the capacity review. My colleague, the Minister for the Environment, Climate and Communications, ordered a capacity review at the start of the year. Following a competitive tender that was awarded to FireEye, which is one of the most reputed cybersecurity firms in the world. Since that time, it has been examining on a comparative basis how the NCSC matches up with other similar bodies around the world. The company will produce recommendations about how it should be changed or restructured or what the salaries and positions should be. I understand that there is a draft of the review, and that it is likely to be finished in the coming weeks. Clearly, when I get to review it, that will be in the light of recent events, which would clearly colour anybody’s view of what the outcome should be.

Regarding the Oireachtas committee, the Deputy will understand that in the middle of a crisis event when an incident response team is on the ground trying to sort out problems that are causing knock-on effects for patient health, the staff are probably not going to be available to answer questions for a long period. In the same way that firemen would not answer questions about the cause of a fire until the incident was over, I am sure they would be delighted to come in before a committee and answer in detail all the Deputy's questions.

Did the Deputy have any other question?

That is fair enough in one way, but in the absence of briefings for Opposition spokespersons, this was a meeting of the transport committee and given that it was not public, there was an opportunity for the NCSC to present to it. We did not see the point of its officials coming to the committee in private and then not being willing to answer any questions. It would have been better not to have come at all. What we would like to see throughout the course of the next few days – we hope this does not go on for too long – is that we would have regular briefings for Opposition leaders or spokespersons. I will conclude my contribution by leaving the Minister of State with that ask.

I agree with that, and I will recommend to my colleagues in government that there should be regular briefings for Opposition spokespersons because this is a common threat to all of us and we should respond to it with common purpose. It is not an issue on which to divide.

I will interact with the Ministers if that is okay.

I am pleased to contribute to this debate. I wish to make a number of points. We had the assistant secretary of the Department of the Environment, Climate and Communications, Mr. Ciarán Ó hObáin before the transport committee this morning to talk about the NCSC. It was a private meeting. We have a number of questions we would like to be clearly answered. First, are the Ministers satisfied that in view of what has happened with the cyberattack on the HSE and the Department of Health that the terms of reference of the capacity review that is currently under way are adequate? I can say without fear of contradiction that it is the biggest virus attack in Ireland probably in living memory, outside of the Covid-19 virus attack. Do the terms of reference cover what is happening at this moment in time? Can the capacity review be expedited in view of what is happening?

There are currently 29 staff in the NCSC at the moment. Is that sufficient? The budget is €5 million. Is that sufficient? A cyberattack took place late on Thursday night or early on Friday morning of last week. Are cyberattacks continuing to happen or is it purely remediation work that is going on at the moment? How long is it expected before the matter will be fully resolved? I ask the Ministers to deal with those initial questions.

To back up what the Minister of State, Deputy Ossian Smyth, said earlier, we very much look forward to the Department and other officials being able to answer a lot of those questions in the course of time, when this immediate emergency response to the incident has passed. I am confident that the capacity review mentioned by the Minister of State will give us a very clear indication of the next steps. My understanding of the draft outline is that it is not looking at radical change. It seeks to further extend our resources but not in a way that fundamentally changes the approach that we are taking.

It is critical to understand that the NCSC has a key role in what has happened, but it is not the only line of defence. In fact, it is not the key line of defence. The key line of defence is every single Department and public agency, every single laptop and every single interaction we take. The Minister for Health mentioned the fact that his Department is spending something like €203 million a year on its IT systems. I could take three other large Departments and add a similar amount to that. For just four Departments we are looking at an investment of more than €400 million in our IT systems, a large part of it relating to IT security. The NCSC has a critical role but it is only an advisory role. Critical analysis and capability is required right across the various agencies of State, in particular within the health system. By their very nature, due to the large expanse of the network of health systems and the large number of people engaged, the urgency of sharing information between doctors, hospitals and so on makes it particularly vulnerable.

The NCSC is not strictly advisory. My understanding is that it is effectively the lead body in the event of a cyberattack taking place. It co-ordinates the response. My understanding is that its role is not an advisory one, but it is very much the lead body in the response.

I am conscious of time. When the Minister, Deputy Ryan, concludes his response could the Minister for Health give an indication of whether the attack on late Thursday to early Friday was the sole attack or are attacks continuing? When is it expected that the matter will be fully resolved within the HSE?

Could the Minister, Deputy Ryan, clarify the point because for many the National Cyber Security Centre is an abstract? For me, it is hugely significant. It devises and co-ordinates the national cybersecurity strategy. It is the lead authority. The HSE rang the centre. Could the Minister, Deputy Ryan, clarify the matter and then the Minister for Health, Deputy Donnelly, respond?

It is critical and highly capable, but I would still argue that the key capability for the front-line defence is in the Departments. The NCSC has a key role in advising, helping and providing analysis, but I stand by the argument as I believe it is fundamentally true that the first line of defence is the various Departments and their resources. That is where we have to concentrate. In particular in the current instance, that is where most of the work is now taking place. It is the people who run our systems there who are now cleaning them out in the methodical way the Minister for Health set out. They are the heroes of what is happening at this present time. They are trying to get our system back up and running. They deserve our greatest help.

The briefings we have in terms of timelines are as follows: on Thursday, suspicious activity was detected by the Department of Health’s IT team. It contacted the National Cyber Security Centre, which provided technical advice on what to do in response. Further to that, there were attacks on both the Department of Health’s systems and the HSE’s systems. The information we have been provided with is that those attacks commenced at 3 a.m. on Friday. None of the briefings we have had since have contained any information on ongoing attacks on either the Department of Health or HSE systems.

Can we take it from what has been outlined that the attack was a once-off attack and there have been no attacks since 3 a.m. on Friday morning?

What I can tell the Deputy is that we have had several reasonably extensive and technical briefings and there has been nothing in any of the briefings I have seen that has suggested additional attacks continued.

It is worth saying, though, that the experts made the point repeatedly that the systems, including the HSE systems, the Department of Health systems and numerous other systems, both public sector and private sector, around the country - our healthcare infrastructure - are the subject of ongoing attack. These attacks to date have been successfully repelled but, obviously, in this case with the HSE, that was not the case.

Therefore, there have been previous incidents, although not as severe. Given the best estimate from the briefings he has received, when does the Minister anticipate the HSE and the Department of Health will be back to normal functioning in terms of their computerised systems, most particularly for patient care and appointments?

The latest position is as follows. In order to bring all HSE services back, the current estimate is that it is going to take several weeks as these services and devices are gone through one by one. However, at the same time, there are certain priority areas which are being focused on, and these include radiology, radiation oncology, patient administration systems and the voluntary hospitals. The rationale for the voluntary hospitals is that not all but some of them were better protected with their stand-alone systems. It is our hope that, in the coming days, some of the more urgent and time-sensitive systems, such as NIMIS, which is the radiology system, will come back online, if not fully, then partly, and sometimes it is site-by-site. They will be coming back online in the coming days.

I thank the Minister for his answers. The Minister, Deputy Ryan, and the Minister of State, Deputy Smyth, will be aware that the communications committee is looking at the National Cyber Security Centre, NCSC, and its role because it falls under our remit. We will expect the Ministers to take part.

To go back to the private committee hearing this morning, some of the issues that came up there have come up more broadly in recent days. These include issues around our state of readiness for this attack, how our systems were or were not in place and the question of whether we should have been more prepared. There is also the issue of resourcing, not just of the NCSC and its facilities, but also the various Departments and agencies that have important work in the cybersecurity area. Does the NCSC have the expertise that is required? What is the working relationship with the various agencies in Ireland, such as the Garda, the Defence Forces, the HSE and other agencies, and also at European and international levels? It seems from responses so far that there is tacit acknowledgement that the NCSC has been severely under-staffed and under-resourced. The fact its budget increased threefold in the last budget essentially acknowledges that the NCSC was severely under-resourced. Will the Minister, Deputy Ryan, respond to that?

To clarify, the budget did triple in the last budget and that was the non-pay element. However, over the last five years, there has been a consistent increase in both capacity and resources. As I said earlier, in my experience of dealing with the NCSC, and I and the Minister of State, Deputy Smyth, had a very extensive briefing three weeks ago, its operations and capabilities are very significant. However, it is not alone. I mentioned other Departments' resources but also, critically, within the Garda national cyber unit, there are real skills. This is criminal activity. That unit also has a central role in targeting and addressing that, and it is also seeing a very significant increase in its budget and resource capability.

In terms of overall governance, it is not entirely clear what is the departmental and ministerial responsibility in regard to the Minister, Deputy Ryan, and the Minister of State, Deputy Smyth. Where did does responsibility lie at this point in time?

As in all Departments, the senior Minister has overall responsibility. I was very glad in recent weeks to be able to appoint Deputy Smyth as Minister of State with specific responsibility for communications and the circular economy. I was particularly interested and glad to have that because he also has a similar role in the Department of Public Expenditure and Reform, where he has designated functions and responsibility for our public ICT systems and also the procurement role. There is a real crossover there at the heart of our public administrative system between the Department of Public Expenditure and Reform and our own Department. The Minister of State also has extensive experience in the area of health IT infrastructure, which was particularly useful on this occasion.

Deputy O'Rourke's time is up. I call Deputy Gannon.

I have five minutes. I intend to ask questions and I will defend my time. The phrase used by the Minister, Deputy Ryan, when asked about the responsibility of the National Cyber Security Centre, was that the key capabilities are in the Departments. I take umbrage at that. When everybody is in charge, nobody is in charge, and at this moment in time, there seems to be confusion as to who is actually in charge of this issue. Following the attack on the HSE, it has been the Department of the Environment, Climate and Communications and we see no place for the Department of Defence, even though the Minister, Deputy Donnelly, has outlined the impact this has had on real people within our country. When nobody is in charge, this is what it looks like: it comes across as a shambles.

Both the Ministers, Deputies Donnelly and Ryan, acknowledge that healthcare has been a real target of cyber security attacks, and that has been recognised in recent years. In that case, when was the last major cyber incident simulation performed, who did it and what was the result?

I want to deal with the question of who is in charge. Of course, somebody has to be in charge. This is a criminal investigation, it is a crime scene, and the Garda is in charge of the investigation. At the same time, the National Cyber Security Centre has a statutory role in incident response. It is a European directive so when there is a cybersecurity incident, they are the people who go in to assist and they bring in outside contractors. However, it is the HSE's IT staff who have the absolute knowledge to be able to rebuild the systems as they are the best skilled to know their own systems. That is the chain of command. It requires an all-of-government response. In this case, we have the Department of Health, the Department of Justice and the Department of the Environment, Climate and Communications involved, and co-ordination from the Department of the Taoiseach.

Given the all-of-government response the Minister of State spoke of, when was the first time we had a cross-departmental meeting in terms of coming up with a response? Was yesterday the first time we had an interdepartmental meeting on this?

The first response was about 6.30 a.m. and the incident had occurred about 2.30 a.m or 3 a.m. The NCSC and the Department of the Taoiseach were involved at the very early stage at about 6.30 a.m. We then had further meetings from 9 o'clock that morning and every element of the State was involved. It was first thing Friday morning, as soon as we became aware of the incident.

There are reported to be 2,000 patient management systems and 80,000 devices to get up and running safely. How many of these are expected to be up and running again by Friday of this week? Will the Minister, Deputy Donnelly, commit to providing a daily public update on the progress?

I thank the Deputy. Daily updates would be very useful. At the moment, the very latest I got from the HSE, just before coming into this session, is that to get all of the systems back up and running, that is, the 2,000 servers and the 80,000 machines, is going to take several weeks. It is a huge effort, with hundreds of people involved right across the country. At the same time, there are priority areas the HSE is focusing on, and that includes radiology, radiation oncology, the patient administration system and the voluntary hospitals. These things do not always work out as we want, they are complex and there can be unforeseen things happening, but the hope is that, in the coming days, parts of those priority areas - as many parts as possible - will be back up and running.

I am going to assume the HSE business continuity plan has a mutual aid provision with private hospitals and, potentially, even across the Border with hospitals like Derry's Altnagelvin Hospital. At what point does the HSE's emergency business continuity plan stipulate that such a mutual aid provision be invoked, for example, for new presentations? Do we have a mutual aid provision and will it be invoked?

What I can tell the Deputy is that, regardless of any formal invoking of contracts, the private healthcare sector is working with the HSE now. For example, the HSE is working with some of the providers on some of the priority areas that I just outlined to the Deputy.

The Deputy will be aware that a safety net agreement was put in place for Covid which can also be activated. In my experience over the last 12 months, when these things happen people really put on the green jersey. I have no doubt that the private providers in this case are working very closely with the HSE to provide the urgent care required.

What is the HSE cyberattack response? Is there a NPHET-like equivalent? If so, what is its membership? Who are its leaders? Who is in the room providing a cyberattack response?

I can get the Deputy a more detailed briefing if it is useful. There are a lot of people involved, the HSE operations people, clinical leads, the HSE IT teams and partners, that is, some of the cybersecurity firms mentioned earlier, some security experts from Ireland, from various firms - there is a sort of war room which has HSE clinical and a wide variety of technical and cyber experts.

Before I begin, I am very lucky to have known the Minister of State, Deputy Smyth, for quite some time. We were on the county council together and it is very reassuring to see his professional background being used, so I take the opportunity to pay him credit, as I do all the HSE staff for their response in this area because it is often overlooked.

My questions follow on from some of those asked by Deputies O'Donnell and Gannon. Can we get clarity on the robustness of the systems in place across every level of Government, and every Department. This involves the HSE and the Department of Health but we must know there is a threat to every Department. We must remember how critical these systems are. What is the cybersecurity awareness of all staff across Government? Do they know how to maintain resilience and how they can be alert to the threats? Let us be under no illusion; this is not just an act of cybercrime but an act of cyber terrorism. It goes to the very heart of protecting the most vulnerable in our society and should be treated like that. It is not a unique attack. Only today the Waikato health board in New Zealand was the victim of a very similar attack. It is a growing threat. Many Deputies have warned of their concerns. How do we gather intelligence and turn that into resilience?

What engagement have we had with partners at EU and intergovernmental levels? Dealing we these threats, wherever they come from, is not something a country can do alone.

The Deputy asked about the information provided to staff to prevent these types of events from happening. There is a parallel with public health advice that it is not the Department of Health that prevents one from being infected but the information it provides to the public and the hygiene habits that, in this case, translate to security habits. It is the information and education about not clicking on links, using strong passwords and all the messages that have to be repeated again and again and making sure that people do that, it is audited and so on. Every staff member has to adopt those habits. That said, we must have in-depth defence. There cannot be a situation where an organisation can completely implode because somebody clicks on a link. The strength in defence and depth and having a secure organisation goes beyond securing the end points and preventing people from getting into one's organisation; once they have penetrated it, one wants to ensure they may only move very slowly throughout it. That requires advice about how one sets up one's networks. Again, that comes back to education. The role of the National Cyber Security Centre is to perform risk analysis of these organisations and to advise on a set of measures to strengthen them and to provide incident response teams when those things happen.

How do we get resilience? We have to keep improving all the time. It is an arms race. One is continually being attacked. It goes back to the parallel with the real life virus which mutates into variants. Computer viruses are upgraded all the time and are mutating and come back stronger and we need to come back stronger all the time. That is why last year we needed to triple our budget for cybersecurity staff. It will go up again next year. The number of IT staff in the HSE doubled in two years. Hundreds of millions of euro are being spent but it will be more in the future because it is an arms race against well-funded cyber criminals.

We are getting support and co-operation from other countries through a number of organisations, Europol, ENISA and we have had direct contact from member states which have also suffered attacks by this particular crime gang. They have kindly shared the information about the signs, when one can see it coming and the remedies that can be applied. We will offer that same information to New Zealand today. I spoke to the National Cyber Security Centre about that.

To back that up, the key is that it has to be an international response. The response in this case included other governments providing us with examples of the same malware and what they did to protect against it. That is the way this works. It is a global phenomenon and problem. The nature of the Internet is that it that connected network. A key thing coming out of this incident is strengthening our defence systems but also using it as an opportunity to further enhance our use of the technology while making it secure. We should be careful not to create a paradigm in the likes of the health system which has had huge benefits and advantages from the use of ICT equipment and new ways of doing things. Perhaps one reason we were particularly vulnerable at this time was because with remote working, there is a very wide network of devices, often remote from central facilities, which is by its nature less secure. It is why these networks tend to be attacked. In response, we should not recoil from the use of ICT infrastructure but double down on making it safer by design, building in resilience. There are attacks all the time. It depends on what one calls an attack. It could be something as seemingly insignificant as a phishing incident or an effort to get someone to link in to allow someone into the network. That in itself is not the key issue; it is, as the Minister of State said, the further line of defence once they get in the network. We must be careful not to lose the great benefits from the use of this ICT infrastructure but to design in the defence systems within it.

Both the Minister of State and the Minister alluded to this being a new variant of a known attack. What is the increased threat intelligence now?

All the time, these software attacks are upgraded in response to the cybersecurity people putting in defences against them. It is an arms race. There is a continuing battle between the two. It is something that we just have to continue with. We cannot fight it alone. We have been attacked but the same and variants of this software have attacked sites successfully in the United States, including the Colonial Pipeline attack, and the attacks within the UK, despite the fact that it has agencies such as the National Security Agency and GCHQ with much wider, better-funded defence powers and with powers of mass surveillance. Despite its surveillance of all this data coming in and out of the country and coming out of the sites, it was still hit by these attackers. We can see this is a world-wide problem and there is a common interest in defeating this, which can only be done by the sharing of information between nation states.

I thank Ministers for taking these questions this evening and commend the many people who are working so hard to try to resolve this issue. I extend our solidarity to the many people throughout the health service who are suffering as a consequence of it.

I will ask several questions and then allow a couple of minutes for some replies. The Minister said that clearing out the systems and getting them going again is basically what is happening. I would like to be assured that, in addition to getting them going again, their security is being reinforced. I want reassurance that we are not planning for the future but actually future-proofing now as we rebuild the systems and get them going again. Many people have told me that many of our existing systems are simply alarm systems rather than defence systems and that we need defence systems put in place in all cases.

Do we know how many times similar attacks have been attempted in the past year? I am told that the NCSC has been warning the Government about these alerts and that, since they are inevitable, it has been seeking more resources. We have been reassured that the Government has sought international assistance on this matter and is working closely with international agencies. Will the NCSC, the Departments and agencies the Minister mentioned need world-class expertise? Will they need to bring in additional international assistance which will be able to put systems in place to ensure we can prevent this from recurring? In other words, how much international expertise will we need to bring to the fore to try to make our system secure as we move forward? We want to make sure we are not back in this position very quickly again.

I thank the Deputy for his words. I share his view that the real concern is for the patients in our health system. He is absolutely right to focus on their needs at this moment. They should be reassured that there is no shortage of resources, international or local. There is a lot of expertise in this area in the country. Many of the companies and others with that expertise have offered to help and are engaging with the Department of Health at the front line clearing out and restoring the systems. We have contracted extensive international expertise and have further experts ready to deploy should there be a further incident or a need to scale up the operation. There is no shortage of resources but, unfortunately, it is a painstaking task. The task is to find the malware in each part of the network and obliterate it. It is a matter of using agents on the network to find it quickly and of checking to make sure the network is secure as we bring it back up again. That, unfortunately, takes time. The key project in the Department of Health is getting the networks back up and running for the patients.

I wish to add my thoughts on our dealings with Mr. Ciarán Ó hÓbáin at the committee meeting earlier. We certainly did not get the answers we were looking for. We obviously accept a criminal entity has made a dreadful attack on this State but a question is being asked about capacity in the NCSC. I want to deal with this, in particular. We welcome the review. We need it as soon as possible. We are talking about the NCSC ensuring compliance. It is about a bit more than just relying on the capacity within the HSE, the area of critical infrastructure or the aviation sector. We absolutely need to ensure capacity. Could we deal with capacity as regards personnel and specific skill sets and the fact that we still do not have a director. I have heard it said that there is a problem in that the positions were not advertised and that some of the positions had staff seconded to them. I heard we do not necessarily have the capacity to ensure compliance. The Minister is talking about the risk assessment of the hundred organisations the NCSC deals with. What risk assessments have been done? What is the capacity within the Garda, Defence Forces and all the relevant organisations? Could the Minister of State revert to me on that? As soon as possible, we need action on capacity within the NCSC.

I thank the Deputy. I appreciate there is a complex arrangement of various groups. Regarding capacity, the capacity review of the NCSC was commissioned by the Minister, Deputy Ryan, in January. The reviewers analysed the strengths and weaknesses of the NCSC, the physical, hardware and personnel resources it needed, how it was doing and how it compared with similar organisations. I will be very reluctant to publish the review when it is issued as it is a guide to the vulnerabilities of the NCSC. I will certainly be acting on the recommendations but it will be difficult for me to publicly tell everybody what the weaknesses of the organisation are and the recommendations for it. It has been upgraded continuously. It has to be upgraded all the time because the threat is continuously upgraded.

With regard to the NCSC's relationship with the Garda, there is the Garda National Cyber Crime Bureau, which I believe has had its number of staff doubled to 140. I can get more up-to-date numbers on that. The bureau reports to Deputy Humphreys as Minister for Justice. The Garda has intelligence from the Directorate of Military Intelligence. It is an intelligence bureau and has a different role from that of investigating crime and making recommendations on how to protect oneself. The NCSC is a statutory body under European law.

I welcome the Minister and Minister of State. I will start with a brief statement and progress to questions and answers immediately afterwards.

I utterly condemn this outrageous attack. It is an attack not only on the Irish health service but also on Irish sovereignty by criminal elements outside this jurisdiction. It is a heinous attack, a heinous crime. The blame for the incident lies principally with the criminal actors, for sure. I agree with the views of retired colonel Dorcha Lee in The Irish Times this morning. He states this cyberattack is of such a scale and of such magnitude and consequence that it should be categorised as cyberterrorism rather than cybercrime. I certainly agree with that thesis.

While utterly condemning the actions of some people, I utterly commend the actions of others, particularly our cyber professionals who have been working around the clock to fix this problem. They are highly motivated, qualified and patriotic people who are working even as we speak. I recognise the clinical staff in the HSE who, once again, are scrambling to try to deal with an incident and a geopolitical shock that was not of their making. I pass on my gratitude to the patients for their understanding and tolerance of the fact that their appointments have been postponed or that their treatments have been cancelled.

I welcome the publication of National Cyber Security Strategy about a year and half ago. It is a very good document. It is certainly a good start but, in light of events in the past few days, perhaps we need to review it and insert more ambition into it because we have just been shown and have proven how important cybersecurity is.

I welcome the appointment of Deputy Ossian Smyth, as Minister of State with responsibility for cybersecurity. I have had the very good fortune of sitting next to him in the past year in the convention centre and we have had numerous discussions on cybersecurity in that period. I have no doubt as to his ability and qualifications in this area. It is very unusual for a Deputy to be appointed to a role for which he is eminently qualified and to which he is eminently suited. I wish him well in his role.

I thank the Minister, Deputy Ryan, for his engagement on cybersecurity, both in public and in private, over the past 12 months. His engagements and answers have always been very thorough, transparent and forthright.

My first question for the Minister and Minister of State responsible for communications is on the capacity review. I appreciate the responses of the Ministers and Minister of State so far this evening. It is hoped that the capacity review will be finished in the next few weeks, as the Minister of State, Deputy Ossian Smyth, said.

Will it be published? Is an implementation body in place to make sure it is actually implemented? We have a great tradition in Ireland, as, indeed, there is across the world, of writing wonderful reports but not really implementing them. Will the Minister comment on that?

The National Security Analysis Centre, NSAC, is an entity which was recommended to be established by the Commission on the Future of Policing. Is the National Security Analysis Centre involved in this response? Is it adequately resourced? I know it is embedded in the Department of the Taoiseach so perhaps the Ministers do not have an answer to that now and could reply in written form if necessary.

At times like this, I am glad that our Defence Forces have sent people to the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. There is one member of the Defence Forces there at the moment. I am heartened by the fact the Defence Forces have sent people as observers to the Permanent Structured Cooperation cyber defence projects. It ensures that we have both the tools and the talent in this country to respond to cyber defence from a military perspective, if required. I am aware the Commission on the Defence Forces will report in December. I understand that it is considering establishing a dedicated Defence Forces cyber defence unit with both defence and offence capabilities. What are the Minister's thoughts on the utility of that? I know the Minister, Deputy Ryan, mentioned that the National Cyber Security Centre is more of a co-ordinating centre than a first response centre. Does the Minister see a role for the Defence Forces in providing a first line of cyber defence?

Implementation of the capacity review will primarily be a responsibility for our Department. I take its advice about what can be published. My instinct is to be as transparent as possible. The National Cyber Security Centre shares a substantial amount of information, often in a secure way, giving different levels of transparency depending on security implications, so we will follow the same approach in the publication of the capacity review.

The National Security Analysis Centre is involved with all of Government. The Department of the Taoiseach is centrally involved. It is an all-of-government co-ordinated response and approach. The Defence Forces have been mentioned. As the Deputy said, they have critical capabilities with regard to the protection of the Defence Forces' own networks. The crossover is evident in that much of the expertise that we have in such bodies as the National Cyber Security Centre are people who have come from the Defence Forces or been trained in that background. There is always crossover and back-and-forward. We are a small State with the capability of having people cross over between different agencies, so that exists in this case.

I acknowledge that the Defence Forces are involved in this incident. Many members of the Defence Forces are involved in rebuilding these systems. I want to see the Defence Forces' role in military intelligence and cyber security strengthened. I would like to see whatever is necessary done to attract candidates to carry out those roles.

Deputies McGrath and Nolan-----

Níl mé ag tógáil-----

Okay. Deputies Healy-Rae and McGrath, níl siad anseo. I call Deputy Connolly.

Maybe I could take some time of the Deputies who did not show up, with the Ceann Comhairle's indulgence. I say that tongue in cheek. I welcome the Minister's written speeches and thank him. I tremble when I hear the Minister for Health saying that it will take weeks, while I understand there are difficulties, until services resume as they were. To put that in context, if one takes just orthopaedics, people are in agony, not according to me but according to a consultant who has written to us repeatedly. Some 1,143 people are waiting on the inpatient list for orthopaedics and 6,602 are on the outpatient list, and so on. We got a reply to say it would take 18 months. In the last two weeks before this, we were told to ignore that 18 months but that it would be cleared some time in the future and they could not possibly tell us. That is just orthopaedics. Of two operating theatres, one is still gone more than four years later and there is complete uncertainty about an emergency department. We are now telling people to wait because of this cyberattack.

As somebody who pleads total ignorance when it comes to this area, I am still able to ask what risk analysis was done. What was pointed out to the Department with regard to the underfunded and underresourced National Cyber Security Centre? It has existed since 2011 and is in its tenth year. What risk analysis came forward about the underresourcing and understaffing?

A risk analysis is carried out of all the major critical infrastructure bodies, especially the HSE because it is so large and vulnerable. At this stage, I will not publish the vulnerabilities of specific organisations, the measures that they were asked to do or whether they were carried out. That is because we have a live incident.

I understand that.

We will have a lot of time to investigate what actually happened.

I understand that we are in the middle of a crisis. Just let me put the questions. The Minister of State has confirmed that risk analysis was done repeatedly and that various risks were identified. They were identified for various Departments, agencies and bodies. I look forward to getting details on that at a more opportune moment. There would have been a risk analysis with regard to the National Cyber Security Centre itself, which is underresourced and understaffed. Presumably that was part of the capacity review that was commissioned by the Minister, Deputy Ryan. I understand that it was due for publication or completion in mid second quarter. We are past the mid second quarter. Why has that not been completed?

We have had level 5 pandemic restrictions since the start of the year and are in the middle of a human virus crisis, and have now been hit with a computer virus crisis. It is important that this is done right. It will be difficult to publish it. Deputy Berry asked if we can publish this.

My question was about why it was not published. The Minister of State is telling me it was because of Covid. I do not accept that. Covid did not interfere with the completion of this. It was extremely important to complete this capacity review, which I presume is limited, because it is simply about capacity. We are talking about the risk of the computer system. Deputy Cullinane already asked the question about Windows 7 and the failure to upgrade. What risks were associated with that? Was there a risk analysis? We have the former CEO of the Health Service Executive, who is very good retrospectively, coming forward to tell us that there was not enough investment. Did he or the current CEO identify the risks with the computers? Did they come forward to tell the Minister the risks involved in not upgrading and not having sufficient funding? It is a "Yes" or "No" question. I refer to the previous CEO or current CEO.

The Deputy will understand that I cannot publish the vulnerabilities of the critical infrastructure bodies in the country and say to the world that these are the places where these critical organisations are at the weakest, where they can easily attack.

The replies leave a lot to be desired. In my last 30 seconds, I refer to State security. We have ignored the risks that existed. We have put patients at risk on top of a pandemic and they have been extremely patient. The doctors told us that the situation in Galway was intolerable and now, on top of that, because we have failed to analyse the risk of putting all our eggs into one type of computer system that was utterly deficient and at risk, the Minister of State is telling me he cannot answer a question. For God's sake. If he thinks I can go out of here, happy with that-----

The Deputy said at the start that she had no idea about this area. I think she has proven that.

I will go over time for a second with the Ceann Comhairle's permission. I am not expert in IT and the Minister of State is certainly not coming across as somebody with expertise, but I have expertise in asking questions and getting some accountability. That is what I am attempting to do here.

Deputy Connolly is entitled to ask questions. That is why we are here tonight. It is important that we have that capability and also that we try to achieve common purpose as we address what is still a critical situation. For those patients in Galway, and for that reason, we have to be careful here in what we say.

Various Members, including Deputy O'Donnell, have said they were not able to get as much information as they wanted from the earlier committee meeting. This is because we have to be careful as this is an ongoing incident in which significant twists and turns may arise as it evolves. We are only in the early phases of this. The first phase involves identifying and containing the problem. We will then seek to remedy it. Providing that remedy will take a significant amount of time. There may be real consequences, particularly for those in the health service.

The various people involved in this were mentioned. Those working on the IT system within the healthcare sector are particularly worthy of mention. The truth is that, during the Covid pandemic of the last year, they have been under incredible strain. They have had to react to a whole series of different and changing circumstances. They have been required to create what are effectively entirely new systems. They created an entire new system for contact tracing and for rolling out the vaccine, a system which luckily has not been affected in this instance because of the way in which this separate network was created. They are the people most affected immediately with regard to the ongoing strain they have faced in their work over the last year. I commend them and wish them well. The rest of us are, in effect, there to provide support. It is they who are the front-line key workers at this moment in time.

We are in very difficult circumstances. As Deputy Stephen Donnelly has said, this is going to take a number of weeks to resolve. In those circumstances and with that sort of timeline, which is unfortunately inevitable because of the scale of the damage that has been done, our key concern is for the patients whose care may be affected. I have absolute confidence that the Irish health system, which has shown great resilience in adapting during the Covid pandemic, will show similar resilience in providing care in whatever way is possible with the limited systems we have in place.

I listened with great attention to what various Deputies said with regard to the need for the capacity review to be published. We will do that, subject to advice. In a world in which there are criminal elements who would look to exploit information which might identify some of our capabilities or lack thereof, we have to be careful, but we will publish that review insofar as is possible. I hope that will give people real confidence and back up what I see as the reality. We have been in a maelstrom for the last four or five days but, from working with officials, I can say that I have been highly impressed with the service they provide to the public, their sense of dedication, their real capability and their calmness under very difficult circumstances.

I appreciate this chance. We had the opportunity today to share, as best we could, some of the information we have. As Deputy Smyth said in response to an earlier request for further briefings to be provided to Oireachtas Members from the various different groups, we will absolutely look to make that happen in a way that ensures confidence and security while providing information to Members of the Oireachtas.

I will start by thanking colleagues across the House for their time this evening and for their input, questions and proposals. It is very galling that our public healthcare system and our patients, some of the most vulnerable people in the country, are the victims of this vicious criminal attack. It is a despicable attack which shows scant regard for human health or human life. I acknowledge the very real anxiety that patients right across the country are feeling tonight, felt earlier today and yesterday and will feel in the days to come. Patients are desperately waiting for treatment. In some cases, it is urgent care. In others, the treatment may be less urgent but the patients may have been waiting a very long time, often too long. I include adult patients and the parents of children who need treatment in that remark. There is great worry and anxiety, which is very understandable.

We have to do everything we can. I say to those patients, and to the parents and families of patients, that everything that can be done is being done. There are hundreds of people working across the State right now to get these services and systems back online as quickly and as safely as possible. In so doing, we are prioritising the most urgent services including radiology, radiation oncology, the patient administration systems and work with the voluntary hospitals, some of which are less compromised than HSE services because of their standalone systems. While it is going to take weeks to get all of the services back up and running according to the latest information we have, we envisage some of the more urgent services coming back online, part by part, in the coming days.

I acknowledge our healthcare staff. They have been the very best of us over the last year. They have stepped up day after day, first in dealing with one virus, Covid-19, and then in dealing with its variants. It has been a brutal year in healthcare. Our healthcare staff right across the board, both clinical and non-clinical, are exhausted. They have shown themselves to be the very best of us. At a time when we were beginning to get a bit of breathing space and when the country collectively was suppressing Covid, as it still is, and when the vaccine programme was going from strength to strength, as it also still is, we were beginning to again have conversations in healthcare about waiting lists, building more hospitals, supporting GPs, hiring more clinicians and doing all of the wonderful things that need to be done in healthcare. Then the same people were hit by this. They are now working in our hospitals and community teams right across the country. They are under incredible pressure. They are doing their very best for their patients but things are slow. The patients are, very understandably, frustrated. I ask people who have to go to emergency departments, where things are slower than anyone would like, to be understanding of our healthcare professionals, as I know people will be. They are doing their very best. They are trying to get people triaged, assessed, treated and scanned as quickly as possible but everything is taking longer because of this vicious attack. I pay tribute yet again to our healthcare professionals who have stepped up, this time to deal with a different type of virus.

The Government takes IT security and cybersecurity deadly seriously. For example, the HSE budget has increased. In 2019, it was €130 million. Last year, it increased significantly, to €145 million. This year, it is €203 million. Critically, in this year's national service plan, the funding for IT staff has been almost doubled. As of last year, there were approximately 400 staff. That is being increased by in excess of 350 additional staff. There are massive increases in funding and in staff. We all know why.

While this is taking time, steady progress is being made. Many highly professional, highly patriotic people are working within the HSE and the National Cyber Security Centre. The Defence Forces have been involved, as is the Department of Justice. A whole-of-government approach is being taken. Steady progress is being made. I thank the people involved. They are working every hour, night and day, to make sure that our services are restored and, most importantly, that patients get the urgent care they need.

It would be appropriate for me to say that the House in its entirety wishes the Government, including the two Ministers and Minister of State present, our health administrators and our health professionals absolute success in undoing the despicable crimes that have been committed against the Irish people, who require the support of our health services.