HSE Technology and Transformation Committee Meeting Minutes 3 February 2023

Members Present: Tim Hynes (Chair), Brendan Whelan, Fergus O’Kelly, Barry Lowry, Martin McCormack, Rosaleen Killalea, Derick Mitchell.

HSE Executive Attendance: Dean Sullivan (Chief Strategy Officer), John Ward (Interim Chief Technology Transformation Officer), Dara Purcell (Corporate Secretary).

Joined the Meeting: Yvonne Traynor (Board Member – Item 2.2), Puneet Kukreja (Interim Chief Information Security Officer – Item 3), Michael Redmond (Chief Operations Officer eHealth – Item 3.2), Yvonne Goff (ND Change and Innovation – Item 4.1), Fran Thompson (CIO – Item 4).

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda. All performance/activity data used in this document refers to the latest information available at the time.

The Committee held a private session to review the agenda, the relevant papers and approach to conducting the meeting, noting that the focus of the meeting would be to receive updates on key items and to suggest relevant actions as they became apparent.

Y Traynor joined the meeting.

2.1 Declarations of Interest

No conflicts of interest were declared.

2.2 People and Culture Committee Oversight

The Chair of the People and Culture Committee was invited to attend to discuss the Committee the People & Culture Committee workplan and how this will inform Technology & Transformation workplan. The T&T Committee Chair advised he hopes to have each Board Committee Chair join future meetings to provide similar input

The P&C Workplan and Recruitment Reform & Resourcing Programme were circulated in advance of the meeting. Y Traynor gave an overview of the work of that Committee, noting that workforce planning is critical to the successful implementation of ICT projects and programmes. The Committee discussed the need for current state analysis of the ICT workforce (e.g. numbers, grading, salaries, recruitment plans). Y Traynor agreed to consider at the People and Culture Committee workforce planning in the context of ICT projects implementation.

2.3 Minutes

The Committee approved the following minutes:

• 19 January 2023

2.4 Committee Matters

The Committee workplan 2023 was discussed and it was agreed that Committee members and the CTTO would review the draft workplan and provide feedback. It was also agreed that an education session is to be developed for the Board by the Committee covering cyber attestation and the HSE Transformation Roadmap.

In relation to the Committee Terms of Reference, the Chair reported from a discussion at the Board meeting of 27 January 2023 and confirmed the wording of transformation agenda. The Terms of Reference as circulated were recommended to the Board for approval at its February meeting, noting the revised wording in relation to the creation of a Transformation Roadmap to provide clarity to the Board that allows greater control and decision making.

2.5 Matters for Noting

ICT Capital forecast

The Committee noted the ICT Capital forecast which was circulated prior to the meeting following a request by the Committee at its meeting on 19 January 2023.

Privileged Access Management

Following a request by the Committee at its meeting on 19 January 2023, the Chair reported a meeting had been arranged for himself and B Lowry with management in relation to Privileged Access Management. The Committee noted the briefing information provided for the call on 1 February 2023 which was circulated prior to the meeting.

CSO and ND Change and Innovation joined the meeting.

3.1 RHA Transformation

The CSO provided the Committee with a verbal update on Regional Health Areas (RHAs). ND Change and Innovation outlined the RHA key actions including proposed governance arrangements with voluntary groups. Following a discussion on the requirement of legislation to ensure sufficient data sharing between the HSE and voluntary groups, the CSO advised the Committee that an amendment to existing legislation should not be required.

The Committee were advised that there is ongoing engagement with the voluntary sector through the voluntary dialogue forum and a further planning session has been scheduled with the forum on 14 February.

The CSO advised the Committee that they are currently in the planning and design phase and it is expected to go live in January 2024 on a phased basis.

The Committee noted that the draft RHA Implementation Plan would be submitted to the Board at its February meeting.

3.2 Current organisational structure of digital innovation

The ND Change and Innovation outlined the current organisational structure of digital innovation. She informed the Committee that work is ongoing with colleagues to examine the proposed approach and structure of how the digital innovation team will be organised in future, with the first steering group meeting soon to discuss this. While the Committee acknowledged the importance of having the right people, they questioned whether it is possible that the proposed governance is overly bureaucratic and ad variance with the subject matter of innovation. The CSO advised that this should not be the case and the aim of this organisation structure is to ensure that all relevant people included. The Committee requested that the roles of each organisation should be clearly shown in the structure going forward.

3.3 Discussion on development of Transformation dashboard

The Committee requested the CSO to consider the programmes/projects which should be presented to the Committee under the transformation agenda and the appropriate dashboard to report progress on implementation to the Committee. The outcome of this work is to be reported to the Committee by the end of Q1 2023.

3.4 Matters for noting

- Verbal update regarding status of implementation of projects submitted via MSc. In Digital health transformation

The ND Change and Innovation provided a brief verbal update on the status of projects submitted as part of this programme. The Committee suggested that the projects be added to Decision Time with summary overview to allow the projects input into change and innovation in the HSE. D Mitchell, who is involved in this course’s delivery, advised that he would seek permission from the university/students to share their projects with the Committee and engage with the ND Change and Innovation on implementing a formal process for these projects.

CSO, ND Change and Innovation and Y Traynor left the meeting.

4.1 Risk Appetite Statement

CRO, CIO, CISO and CTTO joined the meeting.

The Committee welcomed a presentation from the CRO on the HSE Risk Appetite Statement [RAS] 2021/22 as approved by the HSE Board in November 2021. The Committee noted that the RAS is currently under review in parallel with the revision of the Risk Management Policy.

The Committee discussed in detail CRR Risk 011 Digital Environment and Cyber Failure noting that the history of this risk over 17 quarters has been consistently ranked between 16 and 25. The CRO advised that he is currently undertaking a review of risks on the CRR. A structured approach to reviewing risks has been developed. Once approved by the EMT the CRO expects that it will provide the EMT and Board Committees with a tool to allow them in a straightforward way interrogate each risk.

The Committee agreed to add risk as a standing agenda item for its future meetings and that over a number of meetings, the Committee will explore the Cyber/ ICT risk in more depth.

CRO and D Mitchell left the meeting.

5.1 Procurement for External Assessment ref Cyber Position

The CTTO presented on the assessment frameworks that have been applied in external reviews of the HSE’s Cyber position to date. This discussion was requested by the Committee at its meeting of 19 January 2023.

The CTTO advised that in June 2021 the HSE commissioned PwC to complete an Independent Post Incident Review (PIR) of the Conti cyber-attack on the HSE. As part of PwC’s review of the HSE’s preparedness to manage cyber risks they used a Cybersecurity Framework for the HSE which was based on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) and the Information Systems Audit and Control Association (ISACA) Control Objectives for Information and Related Technologies (COBIT).

The CTTO confirmed that both NIST CSF and COBIT are internationally recognised standards that organisations frequently use to assess their information security capabilities and IT governance processes. The Committee supported the use of these frameworks for further proposed procurement processes.

5.2 Discussion on development of Technology dashboard

The CTTO presented the December 2022 eHealth Detailed Report to the Committee which facilitated a discussion on the draft technology dashboard.

The Committee discussed the wording used in the draft technology dashboard, particularly focusing what should be meant by transformation and how this will be clearly defined and measured. The Committee suggested the key headings Protect, Operate, Transform and Sustain. The Committee emphasised the need to have a high-level dashboard that can show clear progress, but also emphasised the need to ensure that sustain is represented.

It was agreed that the CTTO would incorporate Committee feedback and present again at the next meeting.

5.3 Threats and Mitigations monthly meeting

The CISO briefed the Committee on the HSE cyber security ecosystem. This focus was requested at the Committee meeting of 19 January 2023. The HSE cyber threat dashboard for January 2023 was also presented. The CISO focused in particular on prime threats as highlighted by ENISA 2022, key enabling areas for cyber, types of cyber-attacks, and the prioritised 2023 funding ask.

The Committee discussed the metrics highlighted and thanked the CISO for his presentation. IT was agreed that an amended version of this presentation should be brought to the Board for the upcoming cyber education session.

CIO, CTTO and CISO left the meeting.

Nothing was raised under this item.

The meeting concluded at 18:00.

Terms of Reference: Technology and Transformation Committee