Electronic data held by HSE not secure, audit finds
Electronic data held by the Health Service Executive is not adequately secure and could be at risk of theft or misuse, an external audit has found.
The audit which was carried out by external consultants and completed in March 2012, found the organisation’s overall information and communications technology (ICT) security framework was “inadequate”.
It said the absence of an effective security framework across the organisation meant the HSE, its staff and the data held by it “may not be adequately protected from attack, compromise, theft or misuse”.
The finding was one of 14 high-level risks and medium-level weaknesses identified across the HSE’s ICT security framework at a national and regional level by Mazars.
The audit report also found one in every five laptops on the HSE South East’s asset register was unencrypted at the time of the audit. Although all laptops are required to be encrypted under HSE policy, it found 292 of the 1,475 laptops in the region appeared to be unencrypted.
In the HSE West region it found 1,183 laptops had been encrypted but was unable to determine a figure for the overall number of laptops in use by the HSE in that region.
In a response contained in the report HSE management admitted there were “considerable resource constraints within the ICT directorate” in the organisation: “There is one person assigned to data protection and security policy within the ICT directorate.
“The development of an overall framework has to be managed within that resource constraint.”
The HSE said staff were reminded on a regular basis of the need to encrypt their laptops and noted that the ICT directorate had implemented a script on the HSE network domain which would identify the encryption status of laptops connecting to the network.
The HSE said last night that following a number of data protection breaches in 2010 and 2011 the HSE undertook a comprehensive review of its guidance documents, protocols, practices and procedures.
“A set of data protection policies and procedures are now in place. Ongoing staff training is provided to ensure that staff are aware of their responsibilities in this area,” a spokeswoman said.