IT breaches at CUH despite doubling security spend

The hospital at the centre of a series of computer breaches spent twice as much on its IT security than planned budgets allowed during the period examined in a HSE audit.

The internal audit of Cork University Hospital (CUH) found the overspend occurred at the same time that chronic problems existed in the facility’s computer files defences. The detailed document, obtained by the Irish Examiner under the Freedom of Information Act as part of a large cache of internal reports, said CUH’s “nominal” IT budget for 2011 was €658,000.

However, over the course of the year, it spent €1.217m on computer data security and standards — almost double the planned figure. The audit team said the overspend occurred partially because of a lack of a detailed, sector-by-sector budget for IT services at the facility.

As such, it was difficult to keep track of where and when extra money would be needed.

Despite the significant overspend, the audit team found a series of problems in the IT security system.

As reported in last Wednesday’s Irish Examiner, this included the fact “unauthorised staff” and ex-employees could access sensitive files, because their accounts had not been revoked; encryption difficulties; password problems; and a lack of stringent “access controls” on childcare system details.

More than 5,500 patient files also contained errors in patients’ names, addresses, dates of birth and other basic information due to the large number of people who added to the files, a situation which could potentially “lead to incorrect medical care”, according to the audit.

Also, during the period of the audit, investigators noted a poor knowledge of IT security protocol among CUH staff.

When asked about the hospital’s encryption, remote access, password standards and national IT protocols, the majority of staff “were either not aware of the policies (50%) [or], aware of the existence of the policies but not of their content (31%)”.

The audit team was told staff “have received no training in relation to any of the policies” and that there is “little evidence” national standards are being implemented “at local hospital level”.

It added that while an IT steering committee exists at CUH, it is project-focussed and does not have over-arching powers. As such, it “does not provide oversight or review of ICT [information and communication technology] standard performance metrics or targets, operational budgets, reporting against budgets, data management and data protection, security management or policy compliance”.

Similar, but less serious IT security issues were also reported at Our Lady of Lourdes Hospital in Drogheda, the Mid-Western Regional Hospital in Limerick and at a number of undisclosed local health office locations. Concerns surrounding the hospitals included poor or non-existent encryption of laptops and smart-phone information.

At least one local health office kept cleaning tools next to “sensitive” computer equipment — a situation which would cause significant damage in the event of any leak.


Lifestyle

The long-tailed tit’s nest is an architectural marvel.Richard Collins: Altruism of the long-tailed tits or not

The flight that brought us home to Ireland after our seven months sojourn in the Canary Islands (half our stay intended, half not) was the most comfortable I’ve experienced in years. With a large plane almost entirely to yourself, you could again pretend you were somebody.Damien Enright: Wonderful to see the green, green grass of home

IRISH folklore is replete with stories of priests praying for fine weather to help farmers save their crops in wet summers. However, the opposite could soon be happening when divine powers may have to be invoked to provide rain. And not just for farmers.Donal Hickey: Praying for rain — in Ireland

Geography is often the defining factor for the destiny of an island. Those islands that lie close to the shore have often been snapped up by interests on the mainland and their morphology changed to something completely different.The Islands of Ireland: Tarbert morphed onto the mainland

More From The Irish Examiner