The Chair welcomed Executive members to the meeting.
3.1 Guiding Principles Document
The CTTO presented an updated Guiding Principles document which incorporated feedback provided by the Committee at its workshop on 28 November 2022. The CTTO answered questions from the Committee in relation to patient access to digital healthcare records under the EU Digital Decade policy which requires such access by 2030. He confirmed that the HSE is actively working in conjunction with the DoH towards meeting this deadline. The Committee provided additional feedback and wording for the Principles which was to be sent to the CTTO following the meeting.
3.2 Review of ICT Capital Plan
COO eHealth joined the meeting.
The COO eHealth provided the Committee with and update on eHealth and ICT funding in the HSE and confirmed that the ICT Capital Plan submitted to the DOH is still in draft form. He advised that the ICT and eHealth capital funding available in 2023 is €140m, an increase of €10m (7.69%) from 2022 and the multi-annual nature of major project and programme delivery means that decisions made, and priorities set in one year can have a major impact on spending across future years. The Committee queried whether there is a multi-annual capital plan which takes this into account. The COO eHealth confirmed there is an internal plan which he would circulate to the Committee to facilitate further discussion.
The COO eHealth presented a paper on the HSE IT Budget Benchmark provided by Gartner. He highlighted certain elements of the report including the addition of business unit IT in this year’s analysis, revenue budget, capital analysis, and workforce comparison. The Committee asked questions on the data provided in relation to refreshment of current technology and devices. The COO eHealth advised that although there are many legacy systems still used, there is good progress being made in this area with a big focus being placed on single digital identity. The Committee discussed the risk in this area and agreed that risk appetite on servers should be established and, through the ARC and Board, consider its addition to the CRR.
The Committee thanked the COO eHealth for his presentation.
COO eHealth left the meeting.
3.3 Board Strategic Scorecard – eHealth
The CTTO presented the proposed eHealth Board Strategic Scorecard to the Committee advising that it was based on five key deliverables with a focus on alignment with the National Service Plan and Capital Plan. The Committee emphasised that the development of the Score Card should have a clear focus on outcomes rather than inputs. The CTTO articulated that the scorecard was at a strategic level, and were underpinned by detailed reporting. The Committee indicated there are areas where they may seek monthly updates for instance HealthIRL. The culture perspective of reporting was also to be considered as the Committee advised people should not have concerns about ramifications when reporting incidents or if an areas reporting is not green, it is more important to have accurate data to allow issues to be addressed.
3.4 Threats and Mitigations Briefing
The CISO briefed the Committee on Cyber Threat and the HSE Cyber Risk profile, highlighting key attack vectors, cybersecurity metrics recommended by Gartner, cyber threats impacting the HSE and HSE recent cyber events. The Committee discussed the metrics highlighted and requested that information relating to certain areas of concern be reported to the Committee at each of its meetings. The Committee also requested further detail on Privileged Access Management procedures.
The Committee requested that CISO and CTTO recommend options for external assessment of the HSE’s cyber position, noting that the decision on this will rest with the Committee/Board and that it should allow for annual assessment to track progress.
The Committee thanked the CISO for his presentation and agreed that following further development in this area, a briefing will be brought to the Board.
CISO left the meeting.