Committees of the board meeting minutes

HSE Technology and Transformation Committee meeting minutes 12 september 2023

A meeting of the HSE Technology and Transformation Committee was held on Tuesday 12 September 2023 at 9am via video conference.

Meeting details

Members Present

Tim Hynes (Chair), Fergus O’Kelly, Martin McCormack, Rosaleen Killalea, Derick Mitchell.

Apologies

Brendan Whelan, Barry Lowry. HSE Executive Attendance: Niamh Drew (Deputy Corporate Secretary), Rebecca Kennedy (Office of the Board).

Joined the Meeting

Pat Moran (PwC – Item 3), Will O’Brien (PwC – Item 3), John Ward (Interim Chief Technology Transformation Officer – Item 4), Brian Murphy (Head of Corporate Affairs – Item 4).

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda. All performance/activity data used in this document refers to the latest information available at the time.

1. Committee Members Private Discussion

The Committee held a private session to review the agenda, the relevant papers and approach to conducting the meeting, noting that the focus of the meeting would be to receive updates on key items and to suggest relevant actions as they became apparent.

2. Governance and Administration

2.1 Declarations of Interest

No conflicts of interest were declared.

2.2 Minutes

The Committee approved the following minutes:

- 9 June 2023

3. Cyber Attack Incident

3.1 High-level briefing on the Report on the independent Reassessment of the HSE’s NIST Capability Maturity Model Integration (CMMI)

P Moran and W O’Brien joined the meeting P Moran presented the HSE NIST Cybersecurity Maturity Reassessment which was requested by the Committee at its meetings on 19 January and 3 February 2023. PwC were engaged to conduct an independent reassessment of the cybersecurity maturity levels at the HSE, using NIST CSF (National Institute of Security & Technology Cybersecurity Framework) and the governance aspects of ISACA COBIT (Information Systems Audit and Control Association Control Objectives for Information and Related Technologies) which were deployed as part of the Conti Post Incident Review (“PIR") in 2021.

The review sought to: reassess the cybersecurity maturity levels of the HSE, following the initial PIR assessment that took place in 2021, to identify areas for improvement, maturity uplift, and further areas of enhancement; and to provide detailed recommendations to assist the HSE in achieving desired maturity levels.

The HSE’s CMMI Maturity Control Rating across the five NIST domains was discussed by the Committee, noting that the HSE has made progress with regards the cybersecurity maturity uplift since the cyber incident in 2021.

The Committee queried the target maturity levels and the timeline presented as the target for achieving these targets was placed at 2030. It was agreed the Chair would discuss these ratings with Board at its meeting on 29 September and request that the Board consider if it is satisfied with risk acceptance of these targets.

The Committee discussed the role of third parties in achieving the targets and queried the HSE mechanism for assessing and managing third party risk under the remit of both operational reliance and technology. It was agreed that a request would be made of the CRO to report on this topic at the Committee’s next meeting on 6 October and the Chair would also discuss further with the Chair of the Audit and Risk Committee. In relation to areas of enhancement for sustained maturity uplift, the importance of business continuity management was outlined and the HSE Operational Clinical Resilience (OCR) Programme highlighted in particular. The Committee requested that a status update focusing on technical aspects of the programme be provided for the October meeting. The Chair agreed to raise this further with the Chair of the Planning and Performance Committee.

W O’Brien highlighted the governance of cyber resilience in the HSE as a key element of improvement required, particularly in relation to compliance with regulatory bodies such as the National Cyber Security Centre (NCSC) and compliance with the EU Network and Information Security Directive (NISD). The Committee discussed the structure of this governance in relation to the upcoming implementation of the new Health Regions and queried the process being put in place with regards to a national/whole system monitoring and governance approach. The Committee requested that the CIO/CTTO provide a briefing including setting out the process that are being considered and the approach to providing assurance to the Committee that a structured approach to drive ICT compliance and implementation of recommendations with regards to PIR at the October meeting.

Committee requested that the conclusions as presented by PwC be reviewed to reflect the need for assessment of progress and outline specific actions and then be brought to the attention of the Board.

CTTO joined the meeting at 10:58

The Committee discussed with the CTTO the PwC presentation and particularly the culture around governance of cyber security and IT more widely in the HSE. The CTTO advised that challenges of a programme of this nature can be visible in other large organisations and that transparency in governance should be the focus. The CTTO advised that robust governance had been put in place for the programme which can be evidenced through the recent reassessment.

The Committee thanked PwC for the work completed and presentation.

P Moran and W O’Brien left the meeting.

4. Digital Health Strategy

4.1 DoH Digital Health & Social Care Strategic Framework and HSE Digital Health Strategic Implementation Plan Update

B Murphy joined the meeting.

The CTTO updated the Committee on the DoH Digital Health & Social Care Strategic Framework and HSE Digital Health Strategic Implementation Plan. He advised that the DoH has this year been developing a national Digital Health & Social Care Strategic Framework 2023-2030 to fulfil its commitment outlined in “Harnessing Digital - The Digital Ireland Framework” that places a focus on eHealth. The intent of this new national Digital Health & Social Care Strategic Framework is to set the out the vision, goals/objectives, policy direction and a clear roadmap for Digital Health for the remainder of this decade to support the safe and effective delivery of health services in Ireland. The new framework will also inform and guide important policy choices and funding decisions for consideration by government, over the next decade.

The CTTO confirmed that the DoH framework has not yet been published, however the HSE team have been working in close collaboration with DoH divisional colleagues in developing a Digital Health Strategic Implementation Plan. He advised that the framework and plan will require significant continued engagement and support to deliver and highlighted that this area as one that is likely to inform the committee’s workplan going forward.

The Committee discussed the draft documents circulated in advance of the meeting and provided feedback, particularly in relation to the use of data as a key enabler and how the plans will focus on addressing outcomes and user needs. It was agreed that this topic would be discussed in more depth at the October Committee meeting. The Committee requested that the principle of digitally enabled workforce and workplace be brought to the attention of the People and Culture Committee.

B Murphy and CTTO left the meeting.

5. Committee Matters

The Committee discussed the meeting presentations and agreed actions arising with the Corporate Secretary.

6. A.O.B

Nothing was raised under this item.

The meeting concluded at 11:30


This is a beta version - your feedback will help us to improve it