The hospital at the centre of a series of computer breaches spent twice as much on its IT security than planned budgets allowed during the period examined in a HSE audit.
The internal audit of Cork University Hospital (CUH) found the overspend occurred at the same time that chronic problems existed in the facility’s computer files defences. The detailed document, obtained by the Irish Examiner under the Freedom of Information Act as part of a large cache of internal reports, said CUH’s “nominal” IT budget for 2011 was €658,000.
However, over the course of the year, it spent €1.217m on computer data security and standards — almost double the planned figure. The audit team said the overspend occurred partially because of a lack of a detailed, sector-by-sector budget for IT services at the facility.
As such, it was difficult to keep track of where and when extra money would be needed.
Despite the significant overspend, the audit team found a series of problems in the IT security system.
As reported in last Wednesday’s Irish Examiner, this included the fact “unauthorised staff” and ex-employees could access sensitive files, because their accounts had not been revoked; encryption difficulties; password problems; and a lack of stringent “access controls” on childcare system details.
More than 5,500 patient files also contained errors in patients’ names, addresses, dates of birth and other basic information due to the large number of people who added to the files, a situation which could potentially “lead to incorrect medical care”, according to the audit.
Also, during the period of the audit, investigators noted a poor knowledge of IT security protocol among CUH staff.
When asked about the hospital’s encryption, remote access, password standards and national IT protocols, the majority of staff “were either not aware of the policies (50%) [or], aware of the existence of the policies but not of their content (31%)”.
The audit team was told staff “have received no training in relation to any of the policies” and that there is “little evidence” national standards are being implemented “at local hospital level”.
It added that while an IT steering committee exists at CUH, it is project-focussed and does not have over-arching powers. As such, it “does not provide oversight or review of ICT [information and communication technology] standard performance metrics or targets, operational budgets, reporting against budgets, data management and data protection, security management or policy compliance”.
Similar, but less serious IT security issues were also reported at Our Lady of Lourdes Hospital in Drogheda, the Mid-Western Regional Hospital in Limerick and at a number of undisclosed local health office locations. Concerns surrounding the hospitals included poor or non-existent encryption of laptops and smart-phone information.
At least one local health office kept cleaning tools next to “sensitive” computer equipment — a situation which would cause significant damage in the event of any leak.
© Irish Examiner Ltd. All rights reserved
More in this section