HSE audit committee discussed ‘cyber risks’

Cyber security was on the agenda of the HSE’s audit and risk committee in March, weeks before the major ransomware attack that paralysed the health service. The committee discussed “cyber risks” and sought a general overview of the HSE’s “technological landscape and changing risk profile”, according to minutes seen by the Medical Independent (MI).
The committee’s March meeting discussed “rapid ICT deployments and changing risk profiles” and heard that the “risks over the last year have changed with a rise in focus on cyber risks”.

The committee requested a follow-up session involving the HSE Internal Audit Division and Office of the Chief Information Officer to further discuss the issue. Because of an error in uploading to the HSE website, the minutes of the March meeting are not complete. Cyber security is one of 17 ‘red’ risks on the HSE corporate risk register (CRR) approved by the HSE board.

“There is a risk to the HSE effectively protecting the confidentiality, availability and integrity of HSE data including patient data against cyber threats impacting directly on patient care and safety and staff as a result of the inability to deliver ICT and specialised medical device dependent services,” reads the CRR.

Meanwhile, the National Coordinator of the general practice information technology group, Dr Conor O’Shea, told MI it was generally accepted that Ireland spent much less on healthcare IT than other jurisdictions. Commenting on whether the attack could delay the introduction of electronic patient summaries, a unique health identifier and other IT projects, Dr O’Shea argued that the attack should not be allowed to result in further delays. More IT investment is required and lessons must be learned from this incident, he said.