I very much welcome this debate on the Health Information Bill, even if it does feel like Groundhog Day. This piece of legislation is of critical importance to digitising our health service, and we in the Social Democrats are very happy to support it.
Over the years, multiple national policies have committed to delivering ehealth technologies. The promise to revolutionise our health service has yet to be delivered. It is true that this is a complex endeavour, and it will come at a significant financial cost, but there can be no excuse for the repeated failure to prioritise digital healthcare.
In 2024, it is frankly unacceptable that we have still not moved away from pen and paper in so much of our health service. I acknowledge that there have been developments in individual hospitals and GP clinics, but we need these systems to be integrated and to communicate with each other. Records need to follow patients, regardless of the healthcare facility they visit.
It is almost 11 years since the eHealth Strategy for Ireland was published. This 2013 strategy stated that the ICT budget for healthcare in Ireland was approximately 0.85% of total healthcare expenditure. At the time, the EU average was between 2% and 3%. I accept that funding for ehealth and ICT has increased since then, but it has not been in line with increases in the overall health budget. According to the ESRI, between 2017 and 2021 ehealth funding increased from €55 million to €120 million. However, that still only equates to less than 0.8% of the health budget. That is similar to the relative spend prior to the 2013 strategy.
The Department of Public Expenditure, National Development Plan Delivery and Reform has a great deal to answer for in this regard. It seems to need constant reminding that the "R" in its name stands for reform. It does not buy the idea of reform or see itself having any responsibility at all for the promotion and especially the funding of reform in other Departments. A case in point is the long-running saga over electronic health records, EHRs. We discussed this at the health committee in January 2023. When I asked the HSE about progress on electronic health records, I was told that they were not even at the starting line. The main reason for this, was that the Department of Public Expenditure, National Development Plan Delivery and Reform had rejected the business case for EHRs. The business case was submitted in May 2016. The accompanying documents state that a review of the scientific research found that implementing EHRs would lead to a 25% reduction in emergency attendances, a 37%reduction in preventable hospitalisations and a 35% reduction in medication errors. It was a no-brainer.
The estimated cost for a nine-year implementation was said to be between €609 million and €824 million. However, in documents released to the Medical Independent under freedom of information, it was revealed that the Department of Public Expenditure, National Development Plan Delivery and Reform had concerns about funding the project within national development plan ceilings, given the overruns at the new national children's hospital. A January 2019 letter from the assistant secretary in that Department said that it would "be most appropriate to seek Government approval to implement an EHR at the new Children's Hospital first”, following its opening. That was an incredibly short-sighted decision. As we now know, sacrificing the full roll-out of EHRs did not address overruns in the new children's hospital. There is no need to repeat that.
Further reporting in the Medical Independent revealed that in 2022, three years after the EHR business case has been rejected, the HSE board was asked for guidance and strategic direction on ehealth. According to the HSE's chief information officer, the programme was effectively paused. That is a damning indictment of both the Department of Public Expenditure, National Development Plan Delivery and Reform and the Department of Health.
Since the 2016 business case was submitted, eight years have passed. That is almost as long as the expected timeline for full implementation of the ehealth strategy. EHRs are critical to transforming our health service. They have been described as the cornerstone of the ehealth strategy, yet we are only now dealing with the legislation needed to provide a legal basis for them. We still do not have a funding package for the strategy or a timeline. The national roll-out of EHRs would still seem to be some time away.
Other countries are miles ahead of us. Twenty three EU member states now provide access to electronic health records through a centralised access service. Finland has had EHRs since 2007, while Estonia has had them since 2008. Last year, Ireland ranked lowest among OECD countries in digital healthcare provision and digital health readiness. That is not a record the Minister or his predecessors can be proud of.
Notwithstanding the urgent need to digitise our health service, there are a few issues that need to be teased out and clarified on Committee Stage of the Bill. Part Two deals with the "duty to share". During pre-legislative scrutiny, I raised some concerns with respect to confidentiality that still remain to be addressed.
I note that the Bill provides for the HSE to create guidelines on the information to be shared and with whom. More clarity is needed at this stage.
While the Bill states that information sharing must be necessary, relevant and proportionate, how this will be adhered to in practice still needs to be teased out and clarified. I appreciate this will be informed by GDPR, but significant and meaningful engagement with the Data Protection Commissioner will also be vital, in particular to ensure that the principles of data protection, such as transparency, data minimisation and data security, are fully respected.
The definition of "health services provider" in the Bill is also very vague and could cover a vast range of healthcare professionals. We need to ensure that the guidelines are explicitly clear about who should have access to records and on what basis in order to ensure confidentiality from a patient's perspective. This is particularly pertinent in respect of the information that GPs have. The relationship between a patient and their GP is a very personal one. I accept that section 13 provides patients with the right to restrict access to information in their records, but not all people will have the digital literacy or capabilities to exercise such rights.
In 2021, the ESRI recommended the development of specific supports for vulnerable populations to address barriers to understanding ehealth, such as lower digital literacy and language competency. We need to make sure we get this right and bring people with us because any concerns around privacy would undermine public trust in the entire system.
Another area which requires more detailed scrutiny is the secondary use of data. This data will be extremely useful for scientific research, policy making and the development of products and treatments. However, the State is poorly prepared to utilise it. In 2023, a pan-European steering committee was established to assess member states' readiness for implementation of the European Health Data Space. Its report on Ireland stated that infrastructure for secondary use of data will also need to be built almost entirely from scratch and managed by people who are not yet on the payroll. The report went on to say that even the most basic health information, such as the number of patients nationally with chronic diseases like diabetes, is not currently available in Ireland. Again, that underlines how our data systems are shockingly weak and result in additional costs and, of course, major problems when it comes to planning services.
For decades, the fragmented nature of data collection in Ireland has undermined the State’s ability to plan healthcare services effectively and efficiently, and unfortunately this continues to be the case. This is a key reason we need to accelerate the digitisation of healthcare and health data. However, notwithstanding the importance of realising the full potential of secondary use data, we must ensure that there are strict controls around its use, in particular when it comes to private companies. This is an especially pertinent point in the context of the European Health Data Space, which this Bill is informed by. We must have robust ethical and legislative parameters around any commercial involvement in secondary use data.
I fully appreciate that such data at a population level is invaluable in developing potential therapeutics and treatments, and that is very important. However, we must remember that genetic and genomic data is considered a special category of personal data under GDPR, and should be treated as such. This was noted in a 2021 HIQA report on the sharing of health and social care information. Particular concerns were raised about the sharing of genetic data for secondary purposes without consent due to the difficulties in truly anonymising genetic data.
The other issue is that genetic and genomic data convey information not solely on the individual, but also, of course, on their relatives. This means that there is a question over the appropriateness of obtaining consent from a single individual to share their genetic data with a private entity, such as an insurance company. I accept that this is tricky from a legal and ethical perspective, but it certainly requires further scrutiny.
The Minister will remember the 2020 brain tumour research study between Beaumont Hospital and GMI, which highlighted serious failings in our data protection framework. Concerns have also been expressed about the increasingly active role of large technology multinationals in digital healthcare. For big tech companies, healthcare is a huge source of extremely valuable data which can be converted into potential revenue. Given that eHealth Ireland is creating huge demand for its digital infrastructural services, such as cloud space, we must ensure its influence and market power does not override the public interest.
The final issue I wish to raise is that of security. As we become more reliant on digital health, the importance of strong cybersecurity will be even greater. Health data is a prime target for cybercrime. Unfortunately, we know this all too well following the 2021 HSE ransomware attack. This incident showed how easily our whole healthcare system can effectively be brought to its knees. Just one click on a malicious file allowed criminal hackers to access and encrypt the system and move through various hospitals and health centres. In total, they gained access to the personal details of more than 100,000 patients and staff.
The 2021 hack is said to have cost the State at least €144 million. Prior to that, there had been repeated warnings about the inadequacy and vulnerability of the HSE’s digital systems, but these were ignored. Following the breach, in 2022 the Comptroller and Auditor General said that over €650 million will be needed to implement cybersecurity improvements over a seven-year period. While investment has increased in line with the post-incident report recommendations, it is deeply concerning that the new digital health framework is so notably ambiguous about the health services cybersecurity plans.
In a 65-page strategy, the best the Department of Health could do was commit to an evaluation of the resources needed to build our cyber-resilience infrastructure. Such a commitment, three years on from the hack, is unacceptable. If it was not so serious, it would be almost laughable. This problem is not going anywhere. In fact, cyberattacks are going to become more and more frequent. Between January and May, the National Cyber Security Centre, NCSC, had already launched 211 investigations into cyberattacks in Ireland, compared to 309 in all of 2023. We need to get ahead of this. Cybersecurity must be a priority.
The HSE still has not recruited a permanent chief information security officer. That post was supposed to be filled by the end of 2022. I appreciate that there is major competition for talent and salaries for similar roles in the private sector are huge, but the half-hearted commitment of successive governments to ehealth is also part of the problem. This Bill is a step in the right direction, but it is going to take a lot more ambition and imagination to bring Ireland’s health service into the 21st century.
For instance, the new patient app, which is being lauded by this Government and the HSE as a major advancement in ehealth, barely scratches the surface. It is a welcome development, but compared to our peers in Europe it is a very basic initiative. The initial roll-out will not include voluntary hospitals, which account for around a third of all hospitals, including some of the largest.
It is still the case that Wi-Fi is only fully available in 31 the 49 hospitals. I accept that free Wi-Fi is in the process of being rolled out nationwide, but we are told it will be the end of 2025 before all HSE sites have access. We have a long way to go. Ireland is a complete laggard when it comes to ehealth. I appreciate that will not change overnight, but how many more plans will it take before we see real follow-through, instead of piecemeal changes? Sláintecare was clear on the importance of ehealth in enabling reform of our health service. but seven years on it seems like we are only getting started. There can be no more excuses. The ability of our healthcare system to effectively meet patient need depends heavily on the quality of our health information system.
The pandemic exposed the failings in our digital health systems and infrastructure, but it also highlighted the HSE’s ability to quickly develop and implement the use of new technologies. That level of urgency and willingness to change must be harnessed again, because the HSE is capable of transitioning to a digitised health service. The question remains whether this Government is capable of driving that change. At a recent health committee meeting we discussed this and got a general update. We asked about the progress on the digital health strategy. We know about the framework and we know that this legislation will underpin it. However, when we asked a question about EHR, the reply we got was "Oh yes, we have many EHR systems, but we need them to be talking to one another" and my heart sank. The potential of this is enormous. We should not be repeating the mistakes of the past where there was shortsightedness on the part of the Department of Public Expenditure, NDP Delivery and Reform. This is a fantastic opportunity to transform the health service, to enable proper future-proofing of the health service and ensure we have proper services where we need them. We now need the strategy to be implemented as well as for this legislation to be in place.