IT breaches at CUH despite doubling security spend

The hospital at the centre of a series of computer breaches spent twice as much on its IT security than planned budgets allowed during the period examined in a HSE audit.

The internal audit of Cork University Hospital (CUH) found the overspend occurred at the same time that chronic problems existed in the facility’s computer files defences. The detailed document, obtained by the Irish Examiner under the Freedom of Information Act as part of a large cache of internal reports, said CUH’s “nominal” IT budget for 2011 was €658,000.

However, over the course of the year, it spent €1.217m on computer data security and standards — almost double the planned figure. The audit team said the overspend occurred partially because of a lack of a detailed, sector-by-sector budget for IT services at the facility.

As such, it was difficult to keep track of where and when extra money would be needed.

Despite the significant overspend, the audit team found a series of problems in the IT security system.

As reported in last Wednesday’s Irish Examiner, this included the fact “unauthorised staff” and ex-employees could access sensitive files, because their accounts had not been revoked; encryption difficulties; password problems; and a lack of stringent “access controls” on childcare system details.

More than 5,500 patient files also contained errors in patients’ names, addresses, dates of birth and other basic information due to the large number of people who added to the files, a situation which could potentially “lead to incorrect medical care”, according to the audit.

Also, during the period of the audit, investigators noted a poor knowledge of IT security protocol among CUH staff.

When asked about the hospital’s encryption, remote access, password standards and national IT protocols, the majority of staff “were either not aware of the policies (50%) [or], aware of the existence of the policies but not of their content (31%)”.

The audit team was told staff “have received no training in relation to any of the policies” and that there is “little evidence” national standards are being implemented “at local hospital level”.

It added that while an IT steering committee exists at CUH, it is project-focussed and does not have over-arching powers. As such, it “does not provide oversight or review of ICT [information and communication technology] standard performance metrics or targets, operational budgets, reporting against budgets, data management and data protection, security management or policy compliance”.

Similar, but less serious IT security issues were also reported at Our Lady of Lourdes Hospital in Drogheda, the Mid-Western Regional Hospital in Limerick and at a number of undisclosed local health office locations. Concerns surrounding the hospitals included poor or non-existent encryption of laptops and smart-phone information.

At least one local health office kept cleaning tools next to “sensitive” computer equipment — a situation which would cause significant damage in the event of any leak.

© Irish Examiner Ltd. All rights reserved

More in this Section

Pub gets red card for illegal showing of Sky soccer games

Limerick man was en route to Iraq to fight IS

Coach driver suffered heart attack while driving CIT’s camogie team

42 babies born to girls age 15 and under in 2015

Breaking Stories

Gardaí seize wide range of drugs in Dublin search

Kenny denies Apple tax ruling will bring more investigations to Ireland

Father gunned down in 'cold blooded execution'

Teachers' strike 'unneccessary', says Education Minister


Charlie Brooker's Black Mirror is reflecting reality

Meet the heroic children with Epidermolysis Bullosa described as 'the worst thing you could live with'

Ask Audrey has been sorting out Cork people for years

How beautiful is this? - UCD Choral Scholars sing 'Orphan Girl'

More From The Irish Examiner