HSE internal watchdog told of ‘unsatisfactory’ IT system in February
Cyberattack was on organisation’s register of risk – but it will not tell us for how long
THE Health Service Executive has finally confirmed that ‘cyber security’ was acknowledged as a risk factor on its corporate risk register.
It comes after the Irish Mail on Sunday repeatedly asked for details of the health service’s risk register since the day after the cyberattack on May 14, which has had a devastating impact on hospital services across the country.
A risk register identifies risks and puts controls in place to manage those risks that may pose a threat to an organisation’s structure, staff and services. The HSE confirmed to the MoS: ‘Cyber security is listed as an item on the corporate risk register.’
The response is official confirmation that the HSE was aware of the danger a cyberattack posed to the country’s health services.
The risk register is a dynamic tool and is regularly assessed by the HSE’s audit and risk committee, which includes national directors, to discuss ongoing operations and policy issues.
However, the MoS has learned this committee, which meets monthly and met twice-monthly at certain periods last year, failed to publish its meeting minutes for January, April and May last.
The MoS has requested to see the minutes of the meetings and has asked if the committee met in the weeks leading up to the attack.
Available committee meetings suggest issues relating to the HSE’s Information and Communications Technology (ICT) systems may have been put on the long finger due to the pandemic.
Crucially, in the committee’s meeting in February, the national director of internal audits, Dr Geraldine Smith, presented the Q3 ICT report with an ‘unsatisfactory audit opinion’.
The committee requested that the ICT assurance process be presented at the April meeting and asked that the process address the sustainability of the ICT system. Information on that ICT assurance process has yet to be shared.
Separately, the minutes from November 2020 reveal a review of the HSE’s ICT data protection policies was due to take place last year.
But this was delayed until the first quarter of this year due to the ‘reprioritisation of work around Covid-19 systems’.
The minutes from December 2020 show the issue of cybercrime was raised by the committee, but it was decided by the national director for human resources that this issue required a separate policy and no further actions were taken.
Data protection was also highlighted during this meeting as a new risk, including ‘data retention risk with sensitive personal data’.
Following the cyberattack the MoS asked the HSE: n Does the HSE have a risk register? n If so, was a major cyberattack on IT systems on the risk register? If
so, when was it put on, and was it specifically warned about by any particular audit? If it was not on the risk register, why? n If the risk of a major cyberattack was foreseen, what mitigation measures were put in place to prevent such an attack?
The HSE responded: ‘Cyber security is listed as an item on the corporate risk register. There is a HSE internal audit, and we published a summary of the outcomes.
‘A number of actions to enhance security measures: The HSE and Microsoft have reviewed all aspects of identity and access management, information protection, threat protection, security protection and have formulated an action plan which was completed in October 2020.
‘A perimeter security improvement firewall capacity upgrade was completed in Q4 2020.
‘A standard email hygiene solution implemented across mail environments completed in 2020 as planned. Upgraded infrastructure with modern security features. New security environment for vaccination environment. Upgraded applications and database technology.’
The HSE added that in the last three years there was a €300m capital spend coupled with €180m current expenditure on IT, adding that a ‘very substantial investment in IT is under way’.
‘Substantial investment in IT is under way’