A meeting of the HSE Performance and Delivery Committee was held on Friday 18th June 2021 at 8am via video conference.
From: HSE Board
Published: June 2021
Updated: November 2024
Tim Hynes (Chair), Fergus Finlay, Sarah McLoughlin, Brendan Lenihan, Brendan Whelan, Regina Moran Louis Flynn, Sarah Barry.
Anne O’Connor (COO), Fran Thomson (CIO), Michael Redmond (COO Digital Operations), Dean Sullivan (CSO) (item 3), Jim Curran (ND Estates) (item 3), Stephen Mulvany (CFO), Niamh Drew ( Deputy Company Secretary), Hannah Barnes.
The Chair welcomed Committee members to the meeting and the Committee considered the agenda and papers for the meeting and the approach to conducting the meeting. The Chair advised the Committee that the focus of this meeting would be to receive updates on key items without putting additional burden on Management Team members given the current pressures on the system hence items being covered by verbal updates. The Chair provided an overview of the events and response which took place following the Cyber Attack on the HSE on the 14th May.
Actions:
No conflicts of interest were declared.
The CFO joined the meeting at 08:10.
The CFO briefed the Committee on the implementation of the IFMS. The Committee were informed that due to the Cyber Attack the programme was suspended further, as it had been during the 3rd Surge of the COVID-19 Pandemic.
This suspension was set out for 30 days and will also involve a 30 day notice period. The CFO highlighted that as the design phase was due to finish on the 5th of February and this was to be followed by a 6 month build and test phase.
Now it is expected that the design phase will be finished towards the end of June or early July and that the build and test phase will commence re-planning. DXC have advised that the build and test phase will now likely take 9 months.
The CFO confirmed that management believe this is a reasonable timeframe. Overall, this means that the implementation of the project is about 8 months behind the expected schedule. Phase 1 which will provide 40% of the project, was supposed to finish in August 2023 but will now finish in April 2024.
The committee noted that the revised build and plan phase has not yet been fully agreed on. The Committee discussed the effects of delays on the systems within the HSE. In particular the Committee asked if there were risks associated with the long term association with DXC. The CFO agreed that there will always be risks associated however the project is an attractive project for the company to be involved in.
Furthermore, as the project has a fixed price cost the delays are not necessarily a financial risk in terms of their costs rising however, it should be noted that the HSE does have its own project team for the IFMS implementation.
The plan is now an integrated plan and despite the holdups the project will be moving forward in a more positive light. The CFO confirmed to the Committee that the project is, as per the foundational documents, undergoing minimal customisation. Regarding the bid process, the CFO responded to questions regarding challenges on the basis of price the CFO said that as the project is a fixed price project, where there have been change control processes the HSE has been robust and no procurement risks have been taken.
The Committee and CFO agreed that the buy in to the new system will be highly important at the end of the project.
The CFO highlighted that this year an extra €3.5 billion was received by the HSE, with €1.5 for new projects and €1.7 going towards ELS and another 1.7 for COVID. The CFO highlighted 3 risks: not being able to deliver, COVID-19 related costs not being channelled towards ongoing funding correctly and then losing it and not being able to provide sufficient attention to pre-existing deficits.
The planning situation for Government did not include the Vaccination Programme, continued lockdown or a cyberattack. Overall, €9m is COVID-19 related government supports funding and it is not possible to say how much of that will be HSE related.
The Cyber-attack means financial analysis typically takes to the end of the following month to produce a ground up projection and interpret it correctly for a full forecast.
The Committee noted that data is typically provided to the department in July or August, and that usually this data is based on April or Junes performance. However, due to the surge of COVID-19 and the cyber-attack there have been data issues with all months up to June.
Discussion is ongoing internally in the HSE and the have also been started with DPER. The CFO highlighted that COVID funding will be an area to work on and it will be important to highlight that test and tracing, the vaccination programme, and additional cleaning costs will have to be continued to some extent.
There will also need to be a backlog clearing piece undertaken. The Chair opened discussion on the commitment expected by the Performance and Delivery committee related to this process. The CFO confirmed that more work needs to be carried out on the estimates cycle, however the key negotiations between the HSE and DPER will take place in the first weeks of December.
It was agreed that an update will be provided in July and more structure will be provided then for the following months. The Committee highlighted the critical nature of building narrative around the requirements for the HSE and whether it can be tied into the Corporate plan. The CFO agreed that the messaging around events such as COVID will be important to highlight that recovery will be continued into the next year and longer.
The Committee sought clarification regarding the disability area and the communication with the DoH and the Department of Children, Equality, Disability, Integration and Youth (DoCEDIY). The COO informed the Committee that the Sec Gen had written to the CEO and a meeting had taken place between the COO and a representative of the new department. There is a risk for the HSE that a dual process of reporting would be established in order to supplement both departments.
The Committee noted that this would be unsustainable for the HSE. It is a key discussion to be had so that in effect a subset would be provided to the Doh which would then be supplied to the DoCEDIY. The Committee agreed that it is critical at a Board level to have clarity on the strength, productivity, and robustness of the relationships between the HSE and the DoCEFIY to ensure these relationships are fully understood and prioritised.
Actions:
The COO provided the Committee with a verbal briefing on the implications to service delivery following the Cyber Attack. The Committee were informed that this is having a very serious impact on services within the HSE.
The overall approach to managing the issue has been an integrated approach involving teams and groups across every CHO. The COO highlighted that a large focus has been on prioritisation, and through support from the CCO work has focused on bringing back key patient care systems in line with clinical priority and keeping patients safe while maintain essential care and support.
Progress has been slowly made in essential services but there is continuing challenges across the systems especially in community operations where contingency plans vary greatly and have less resources then hospital services.
Systems which have come back online are working within their own bubbles and are not communicating with other systems. Communication continues to be a challenge. Regarding patient areas, unscheduled care has seen a large rise in cases particularly in the west, midwest, and the south. There is a notable difference in the patients being admitted through emergency departments to previous weeks, with length of stay times rising.
This has a huge impact on available beds in the system. The Committee noted that scheduled care is continuing but there has to be some scaling back in this area due to unavailability of services such as the ability to sterilise equipment.
The COO highlighted that as IT supports return online some relief will be provided however, full end to end clinical pathways remain significantly disrupted with concomitant risks.
The Committee commended the huge effort provided by the HSE Staff. Questions were raised regarding the overall impact on patients that this event will have had and it was noted that more comprehensive answers will be provided in the future. Additionally, the Committee sought information on the mood and moral of the workforce.
The COO informed the Committee that in April some normality to service delivery schedules were beginning to return to normal, post the height of the COVID response, and management were highlighting the need to reflect annual leave in rosters however, now there is even more demands on staff as they are working in different ways.
Across the board there is heightened levels of stress and worry about risks at every level in the system. The Committee followed up this discussion with a specific request for a plan to allow for annual leave to be taken in the system. The COO outlined that there is a push for planned leave to still be managed and taken.
The CIO outlined to the Committee the response which has been implemented following the Cyber Attack on the HSE’s IT systems. As per the HSE’s cyber security critical incident response a four phase approach has been followed. So far, the Contain Phase, and Inform phase have been completed.
Elements of the inform phase have been continued to information to the public via the HSE’s websites and local service providers. The two integrated parts to the Assess Phase are now both underway as operating systems are being assessed and services are being brought back online using a “path to green” progress report which highlights system readiness to be restored.
Finally, the Remedy phase which refers to the strengthening of the HSE’s network and applying lessons from the present attack is also being undertaken. The CIO highlighted that standing back-up systems with additional security is a significant piece of work and progress is slowly being made.
The Committee were informed that large elements of the financial impact of this attack will involve bringing forward improvements and costs that were already planned but not due to take place immediately but rather over the next two or three years. The Committee noted that the financial cost falls into four different categories; including ICT Capital, It Security Firm costs, Security operations Centre manged service, and Microsoft 0365 Licenses. Regarding capital investment the CIO responded to questions informing the Committee that in the Irish Public Sector spending on this area was typically about 2% to 3%.
The CIO advised that in the HSE around 1% - 2% of the ICT budget is spent on cyber security. The CIO also highlighted that the Board’s post incident review has been initiated and will take place independently of the executive. Following discussion on the impact of the Cyber Attack the Committee queried the current vulnerability of the HSE IT systems and the possibility of another attack in the short term. The CIO outlined that the systems are not vulnerable presently as there is no current eternal internet access.
The Committee also asked that given the reform which has been undertaken as a result of the COVID19 crisis will a pattern emerge following this event. The CIO said that part of the lessons learnt so far is that cloud services have survived and have seen less impact then the majority of systems which are stored on HSE servers. This suggests more systems will move to cloud services such as email systems, and New-born and Maternity services. Overall this will need to be reflected in government policy with a move from operational expenditure to capital expenditure.
The V/Chair of the Audit and Risk Committee (ARC) informed the Committee that at the ARC meeting last week it was highlighted that following two large risks in the form of COVID and this cyber-attack materialising, resilience needs to be built in the system. It will also be important to consider what risk will next be formalised for the HSE and to structure thinking around this.
The Committee agreed that it would be helpful to consider the National Risk Register and look at the risks on the HSE Risk Register in context of this National Risk Register. This would help assist the integrated response already being undertaken by the HSE. It was agreed that the Chair of the Committee would discuss this point further with the V/Chair of the ARC and with Louis Flynn. The Committee also highlighted the importance of considering the HSE’s position in the IT realm and suggested that consideration might be given to 3rd party suppliers of cyber security.
Actions:
The COO provided a verbal high-level overview of the NSP Q1 2021 review phase 2. The Committee were informed that communication has been had with the department and that it was agreed that the April Data will be the least effected by recent events and also April is the first month in 2021 where levels of services are within expected activity/targets. For these reasons, April data will be used to assess both the impact of the pandemic and the cyber-attack on service level targets and as baseline data for calculation of year-end projections in the Review.
It is expected that 80% of community data will be available from the period and there is still a chance that more will be available. Services will look at what is included in the April data and it is expected that a clearer picture will be available next week.
There are a number of challenges ongoing around leave, recruitment, ongoing support for vaccination and testing, and beginning to undertake the winter planning process which are all being taken into consideration. The COO outlined that work is ongoing on this review and the intention is there to complete it.
The timeframe to have this is now July and further information will come to the Committee then.
The CIO provided a high level verbal update on the ICT Capital Plan. He outlined to the Committee that up until the 13th of the 5th the HSE was on target for its ICT capital plan spend. Since the 14th this has been suspended and only about €9OOK has been spent resulting in about €11m remaining unspent. It is expected that suspension will remain until early September.
The CIO agreed to bring a further update to the Committee at their July meeting, and this will include a view of what the impacts of any delays may be.
Actions:
The Committee held a private session to debrief post meeting.
Date of Next Meeting: 23rd July 2021.
The meeting concluded at 10:10.
This is a beta version - your feedback will help us to improve it