Cyber Security Policy

Within the HSE the Office of the Chief Information Officer has responsibility for information security, information governance and cyber prevention across the HSE including HSE acute hospitals and Community Health Organisations and regularly informs all business unit users within the HSE on information security issues and best practice. Along with managing the HSE's own ICT estate and assets they also manage shared applications and services that exist in voluntary hospitals and other providers. These agencies in turn have responsibility for local ICT security and assets in relation to their own systems. The Office of the Chief Information Officer also manages the health networks that connect many health care facilities across the country. Other activities in terms of cyber security are ensuring that the infrastructure, including the data networks, file servers and personal computers are securely maintained with anti virus software and updates. In addition, other services provided include managing perimeter security devices such as firewalls, monitoring tools, anti-virus and mal-ware detection systems and software. Staff training and awareness is also a critical element in providing a defence against cyber attacks and is provided by the Office of the Chief Information Officer. In that regard it is difficult to quantify those costs elements that are security related from other management activities. As other cyber related costs are not routinely available I will instruct the HSE to provide a more comprehensive breakdown of figures in relation to cyber costs to the Deputy. In relation to anti virus software the HSE spend approximately €0.5m per annum.

As the Deputy is aware, the last week has brought home to us the importance of digital technology supports in the provision of modern health and social care services and the threats that cyber attacks can bring to undermining those services. The HSE first became aware on Friday last of a major cyber security threat in the form of a ‘ransomware’ attack on its infrastructure. The CIO's Office coordinated and organised a comprehensive response to the cyber attacks in the last week including developing the #ThinkB4Uclick information campaign across the health services. Similar attacks were threatening the national Health Services in the UK and many other countries. Such attacks pose a serious threat to the provision of health services and the priority at all times is to ensure that patient safety is not compromised, particularly in relation to the provision of clinical services. It is a critical priority to protect the confidentiality of patient data. In relation to the current cyber incident the HSE and the Department are working in close cooperation with the National Cyber Security Centre and with the Department of Communications, Climate Action and Environment.