Skip to main content
Business Operations
Back to News
CTTO-WEBPAGE

ICT & Cyber Programme

Chief Technology Transformation Office (CTTO)

The ICT & Cyber programme was established in the summer of 2022 following an immense recovery effort in the aftermath of the 2021 Cyber Attack on the HSE. The ICT & Cyber programme is led by Programme Manager Michael O’Kane, under the remit of the Chief Technology Transformation Office. The overarching purpose of the programme is to enhance the Cyber Posture of the HSE and the broader Irish Health Service, and to increase resilience against numerous cyber threats that continue to attack organisations, large and small, across the globe.

The programme seeks to fulfil this purpose through the provision of funding support and establishment of governance structures for cyber related programmes with its partners in the HSE, namely programmes led by the CTO, CSE and CISO, as well as programmes in voluntary organisations.
The ICT & Cyber Programme tracks the progress of the HSE toward being more resilient to future cyber-attacks via an internationally recognised methodology, namely the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF), the Information Systems Audit and Control Association (ISACA) and, the Control Objectives for Information and Related Technologies (COBIT).

The initial independent assessment against this methodology in December 2021 resulted in the HSE achieving an average cyber security maturity rating of 1.18 out of 5.00 across the five NIST domains Identify, Protect, Detect, Respond and Recover. Comparing the HSE's rating against peers, the Private Sector scored on average 2.47 out of 5.00, other Public Sector bodies averaged 1.75 out of 5.00 while large organisations averaged 2.26 out of 5.00.

Upon commencing the programme in 2022 and receiving funding from the Department of Health at the beginning of 2023, the programme focussed its efforts on 5 key areas related to cyber security in a bid to enhance the HSE’s cyber security maturity rating.

These areas are detailed below:

Compliance & Training:
Support HSE and Voluntary Hospital compliance with the relevant regulations and support the delivery of a comprehensive, formalised cybersecurity training and awareness programme to all staff.

Security Operations:
Support the maintenance and enhancement of appropriate security operation services through the provision of Security Operations Centre and Security Information and Event Management services.

Foundational Technology:
Invest in the continuous modernisation of the technology estate to enhance the foundational infrastructure on which the organisation is dependent and cyber criminals often target.

Threat & Vulnerability Management:
Support and fund the proactive testing and scanning of the networks and systems to identify vulnerabilities and security weaknesses, by simulating cyber-attacks.

IT Service Management:
Support the provision of an enhanced asset register and configuration management database (CMDB) to provide more comprehensive information, cataloguing and configuration details of the HSE technology estate.

As the ICT & Cyber programme was progressing in its first full year, it was again independently assessed versus the NIST CSF framework in June 2023 to evaluate progress to date. The assessment outcome sees the HSE move from 1.18 to 1.89, which is an increase of 42% versus our target of 2.86 / 5.00. This is an excellent and accurate reflection of the work that has been done across the CTO, CSE, CISO, eHealth SMT and the ICT & Cyber programme. Nonetheless, the report did acknowledge that we need to continue to invest and be vigilant now and for many years to come to ensure we deliver on the target of 2.86 by 2030.
Accordingly, the programme will continue in its mission to enhance the cyber posture of the HSE and the broader Irish health service in 2024 and following years.
In addition to continuing the progression of the 5 key focus areas already identified, the ICT & Cyber programme will also support the roll out of Office 365 in Voluntary Hospitals as well as scope a number of new initiatives designed to enhance the organisations cyber posture, including Third Party Risk Management.
We are looking forward to continuing to work with our partners across the HSE and voluntary hospitals to promote good cybersecurity practices and protect the IT foundation of the HSE and broader Irish Health service.

You can view our web page on ehealthireland.ie  here.