Committees of the board meeting minutes

HSE Technology and Transformation Committee meeting minutes 6 October 2023

A meeting of the HSE Technology and Transformation Committee was held on Friday 6 October 2023 at 9am in Dr Steevens Hospital, Dublin 8.

Meeting details

Members Present

Tim Hynes (Chair), Fergus O’Kelly, Martin McCormack, Rosaleen Killalea, Derick Mitchell, Brendan Whelan, Barry Lowry.

HSE Executive Attendance

Niamh Drew (Deputy Corporate Secretary), Rebecca Kennedy (Office of the Board).

Joined the Meeting

Stephen Mulvany (CFO – Item 4), Valerie Plant (A-CFO IFMS – Item 4), Fran Thompson (Chief Information Officer – Items 5-8), John Ward (Interim Chief Technology Transformation Officer – Items 5-8), Patrick Lynch (CRO – Item 6), Elaine Kilroe (AND Enterprise Risk Management - Item 6).

Minutes reflect the order in which items were considered and are numbered in accordance with the original agenda. All performance/activity data used in this document refers to the latest information available at the time.

1. Committee Members Private Discussion

The Committee held a private session to review the agenda, the relevant papers and approach to conducting the meeting, noting that the focus of the meeting would be to receive updates on key items and to suggest relevant actions as they became apparent.

2. Governance and Administration

2.1 Declarations of Interest

No conflicts of interest were declared.

2.2 Minutes and Action Log

The Committee noted the action log and approved the following minutes: - 12 September 2023

2.3 Committee Workplan and meeting dates

The Committee agreed the 2024 meeting dates circulated in advance of the meeting and agreed that the workplan would be developed in the coming weeks for agreement at the December meeting.

3. Cybersecurity Maturity Assessment

3.1 HSE Maturity Control Rating - feedback from Chair to Committee on Board Briefing

The Chair updated the Committee on his report to the Board at its meeting on 29 September 2023. He advised that the Board have now been briefed on the Report on the Independent Reassessment of the HSE’s National Institute of Standards & Technology (NIST) Capability Maturity Model Integration (CMMI), and the ratings across the five NIST domains.

The Chair advised that the Board supports the work of the Committee in this area and he will continue to update the Board as progress is made.

3.2 Committee discussion on processes for ensuing auditing on implementation and status of recommendations contained in Report

The Committee discussed the role of the Audit and Risk Committee (ARC) in relation to the Report’s recommendations and it was agreed that there would be engagement between the Committee and the ARC on this topic. The Committee highlighted that it should be understood that implementing these cyber maturity recommendations is an organisational issue and not just an IT matter.

It was agreed that the Committee Chair and ARC Chair would meet to discuss organisational reliance in further detail.

4. IFMS

4.1 Briefing update

CFO and A-CFO joined the meeting.

The CFO provided the Committee with the quarterly update on the IFMS project. The update outlined the IFMS go-live which happened as planned on 3 July 2023 in the first implementation group (HSE East, National Capital, National Distribution Centre, National Ambulance Serivce, PCRS and Tusla), and was based on the latest report prepared for the FRP Steering Committee on the 21 September 2023. The CFO covered IFMS post go-live decisions, project status, key milestones, the post implementation Group 1 revision to IFMS Implementation Plan, Key strategic projects, and next steps for the project.

The Committee thanked the CFO for the presentation and were fully supportive of work completed to date. It was noted that the next quarterly IFMS update will be submitted to the Committee in January 2024.

CFO and A-CFO left the meeting.

5. Committee Matters for Noting

CIO and CTTO joined the meeting

  1. NSP 2024 - Technology and Transformation elements of plan
    The Committee noted the briefing paper circulated in advance of the meeting and briefly discussed the 6 key objectives outlined.
  2. Briefing paper on migration to HealthIRL domain

The Committee noted the briefing paper circulated in advance of the meeting which had been requested by the Committee and expressed continued support for this strategic and critical programme. The Committee noted the progress that has been made in the implementation of HealthIrl

6. HSE Operational Clinical Resilience (OCR) Programme

6.1 Status briefing ref technical aspects of programme

The CTTO presented to the Committee on the technical aspects of HSE OSR programme including the IT Critical Incident Management Process and the Cyber Incident Response Management Process.

He advised that ICT infrastructure resilience is a critical component of the HSE’s ability to deliver healthcare services, as is the need for reliable and available platforms.

The CTTO confirmed that the HSE continues to invest in modernising server, storage, and data platforms using a tiered approach, and this programme is ongoing and will require continued investment to ensure it maintain currency.

The Committee discussed the Cyber Incident Response Playbooks which were circulated in advance of the meeting and noted the approach to ICT resilience.

7. Risk Management

7.1 Q2 2023 Corporate Risk Report - Technology and Transformation Committee Risks

CRO and AND Enterprise Management joined the meeting.

The CRO updated the Committee on the Corporate Risk Review 2023, which was undertaken on recommendation of the 2021 Moody Risk Review, and presented to the Committee the HSE Q2 2023 Corporate Risk Register (CRR) Report.

The Committee noted that as the Corporate Risk Review is being concluded in parallel with the Q2 2023 Corporate Risk Register (CRR) Report, the Q2 report is “by exception”. The Committee discussed the risk ratings and outlined mitigation factors presented. The CRO advised that there will be further discussions on these as part of the ongoing risk review.

7.2 HSE mechanism for assessing and managing third party risk

The CTTO presented on the HSE mechanism for assessing and managing third party risk as it applies to eHealth. He advised that the HSE has a dependency on third parties to provide key services, however, cyber threat actors are increasingly targeting third parties to gain initial access to organisations. In addition, the HSE has increased regulatory obligations in this area such as the EU NIS Directive, OES annual returns, and under the EU Cyber Security Act.

The Committee discussed the HSE’s regulatory obligations and emphasised that they should be considered whole organisation obligations rather than applicable only to IT. It was agreed that the National Cyber Security Centre should be invited to present to the Committee on the EU NIS Directive in particular.

CRO and AND Enterprise Management left the meeting.

8. ICT Compliance in the context of the implementation of Health Regions

8.1 PIR in upcoming Health Regions

The CTTO presented to the Committee on how IT will function under the new HSE Health Regions and Structures. He advised that the eHealth team have established a workstream to design appropriate HSE Health Regional structures that will be fit for purpose for ICT and Cyber and that L0 and L1 level activities will be mapped across the following key areas: Strategy & Planning, Standards & Architecture, Technology Delivery, Technology Operations, Data & Insights, Services, and Security. He confirmed that these principles were developed with the DoH, the national eHealth team, and the eHealth Regional Directors and the workstream is part of an overall governance which is being led by the CEO.

The Committee discussed the impact of the rollout on GP services. The CIO confirmed that the interaction between GP and HSE systems will remain a centralised function and there has been engagement with GPs on this, especially in relation to the shared care record.

8.2 User experience

The CTTO presented on the End User Device Experience in the HSE which was requested by the Committee. He advised that the HSE has a disparate set of user types to manage and the device ordering and procurement process has been improved and will continue to do so on a continuous basis. The CTTO confirmed that internet access / O365 experience has been greatly improved following the migration from our on-premise proxy to a cloud proxy service. In the small number of cases where there are issues the HSE National Service Desk is dealing with them.

The Committee discussed the upcoming HSE patient app and what the patient experience of it will be, highlighting that this will represent a change in design as the patient is now the user. The CTTO confirmed that patient feedback will be key in its development.

9. Digital Health Strategy Prioritisation Framework for Transformation

The CTTO updated the Committee on the DoH Digital Health & Social Care Strategic Framework and HSE Digital Health Strategic Implementation Plan and progress made since his presentation at the Committee meeting of 12 September. The Committee noted both drafts which were circulated in advance of the meeting The CTTO advised that the DOH last published an eHealth strategy in 2013, which resulted in the HSE’s Knowledge and Information plan in 2015.

The HSE is at a critical juncture in its health care delivery model with digital health a crucial enabler in delivering healthcare and the HSE’s Digital health enablement needs to improve and provide a whole of system response. The CTTO advised that the framework and plan will require significant continued engagement and support to deliver.

The Committee recognised the importance of the work completed to date and expressed support for highlighting its importance to wider stakeholders in the system. It was agreed that the Committee would engage with the DOH in relation to the development of the DoH Digital Health & Social Care Strategic Framework and HSE Digital Health Strategic Implementation Plan.

CIO and CTTO left the meeting.

10. Prioritisation Framework for Transformation

The Chair provided the Committee with a verbal update on the HSE’s Prioritisation Framework for Transformation, advising that the prioritisation tool can be applied for the 2023 NSP list in order to scale back projects but it will not be feasible to apply it for 2024 projects until such time as the Letter of Determination has been received and its implications processed.

11. AOB

Nothing was raised under this item.

The meeting concluded at 14:35


This is a beta version - your feedback will help us to improve it