‘Centralisation’ of servers is ICT risk – Rotunda

The “centralisation” of servers for the maternal and newborn clinical management system (MN-CMS) “is a risk and could lead to more sustained and impactful cyberattacks”, heard the Rotunda Hospital’s risk committee. 

At a meeting in September 2021, where the impact of the cyberattack on the HSE was discussed, the hospital’s exposure as a fully digital setting was also noted. The meeting minutes were seen by the Medical Independent (MI) following a Freedom of Information request. 

Risks in relation to the requirement to scan or manually upload and validate all patient information and data from the period of the cyberattack to the MN-CMS and integrated patient management system (IPMS) were outlined. 

All systems were back operational, with the IPMS and MN-CMS the last systems reinstated. The administrative workload to input an extensive backlog of patient data continued, heard the meeting. 

A Rotunda spokesperson told MI: “MN-CMS means we are a fully digital hospital with regard to EPRs [electronic patient records] and therefore the management of all patient flow and treatments is recorded electronically which leaves us exposed in the case of a cyberattack. MN-CMS is being rolled out nationally to all 19 maternity units, but is only in place in four units. This system is managed centrally with all servers being housed by the HSE.” 

Following the cyberattack, the HSE had provided funding to “address local issues and resource deficits in IT”, according to the Rotunda spokesperson. The HSE “continue to provide centrally managed and enhanced cyber controls such as Mandiant and FireEye to all hospitals”.