HSE boss looks to the cloud to strengthen security following cyberattack

Martin Curley says executive on ‘cusp of something remarkable’ in digital health

Due to technological innovations, monitoring systems associated with ICU-level care can now be extended to out-patient systems by the HSE. Photograph: Getty Images
Due to technological innovations, monitoring systems associated with ICU-level care can now be extended to out-patient systems by the HSE. Photograph: Getty Images

The cyberattack that brought the HSE to its knees recently has forced the organisation to review how it protects its electronic and IT systems into the future. In spite of the hack and the disruption to services that it has caused, the HSE remains committed to pursuing digital innovation to help deliver care to patients.

Speaking at an IBM-sponsored conference earlier this week on cyber security, Martin Curley, director of digital transformation and open innovation at the HSE, said that it will continue to invest in digital innovation in spite of the recent security breach.

“The HSE is still wrestling with the cyberattack,” said Mr Curley. “The Covid pandemic had brought down a lot of the barriers to digital innovation in the first place, and equally digital transformation will be enabled by the cyberattack. We need to think about a new model for how we defend our systems, but I’m really pleased to say that none of the digital transformation solutions that we have introduced over the last year were impacted in any way by the cyberattack.”

Mr Curley is putting his digital faith in the move to cloud-based services as a major security bulwark against future cyberattacks: “One of the features of cloud-based solutions, be that from Amazon Web Services, IBM or Microsoft, is that they can afford to spend a lot more on cyber security than an organisation such as the HSE. Cloud-based solutions are inherently more reliable and trustworthy, so rather than it slowing the pace of digital transformation, I think the cyberattack will actually accelerate the transition to these cloud-based solutions.”

READ MORE

New app

Mr Curley says the HSE is “on the cusp of something remarkable in digital health”, including such online-based systems as the remote monitoring of Covid-19 patients and others. The HSE has about 850 patients with chronic respiratory conditions, such as cystic fibrosis, all of whom are currently at home, and being monitored remotely. That, says Mr Curley, is taking monitoring systems associated with ICU-level care and bringing it to outpatient systems. The monitoring setup can give as much as 12 hours’ warning of a patient developing more severe symptoms.

Other innovations include a new app being developed to help those suffering from Parkinson’s disease connect better with healthcare professionals, and vital signs automation, an “early warning system” that flags up sudden deteriorations in the conditions of cardiac patients.

“We have around 100 patients with who have heart failure conditions and they are using a solution that’s monitoring them several times a week. In our pilot project, we had 20 patients, who had 13 cardiac episodes, which would have previously required hospitalisation for an average of 10 days, but we were able to intervene and not one of those heart failure patients needed to go to hospital,” said Mr Curley.

However, it’s precisely those sorts of remote monitoring and remote working solutions that are opening up organisations, such as the HSE, to cyberattack in the first place. That’s the worry being flagged by the Association of Compliance Officers Ireland (ACOI), which says that most businesses are seeing a rise in cyber security attacks since the beginning of the series of national lockdowns last March.

While most would aver, under normal circumstances, that allowing, even encouraging, staff to work from home is beneficial to business, the environment and the employees themselves, the ACOI says there is a significant danger of “back door” cyberattacks.

“It’s abundantly apparent from our survey that remote working is a major issue facing firms this year when it comes to data protection, with 34 per cent of businesses voicing their concerns around the risks associated with it. Given how intertwined the two things are, it is perhaps unsurprising that risk of cyberattack was cited by 31 per cent of respondents as the biggest concern. Indeed, the two are not mutually exclusive, with remote working increasing organisations’ vulnerability to attacks,” Michael Kavanagh, chief executive of the ACOI told The Irish Times.

“Eighty-five per cent of our respondents have more than three-quarters of their workforce out of the office at the moment and while the survey suggests that the remote working landscape will certainly not look the same in 12 months, it is clear that the intricacies of having a national mobile workforce is something that all organisations will have to consider, both now and into the future, as flexibility around where people carry out their various roles becomes a key feature of modern day business.”

According to the ACOI, 89 per cent of Irish businesses have said that the risk of cyberattack has become a greater consideration since the redeployment of staff to home-based working.

“Redeploying employees to work from home has ‘considerably’ increased risk for 37 per cent of organisations, while 52 per cent said it had increased risks ‘a little’. What’s interesting is that when we asked the same question last year 10 per cent fewer organisations felt the risk had increased ‘considerably’. This would suggest that the recognition of, appreciation for, and experience of that risk is growing,” said Mr Kavanagh.

Cybercrime

“The context for cybercrime and cyberattack in Ireland is constantly evolving. PWC’s Irish Economic Crime Survey 2020 found that 69 per cent of companies in Ireland have experienced cybercrime in the past 24 months, and that the incidence of cybercrime in Ireland is double that experienced by global companies: 34 per cent. The report also outlines that Ireland is now Europe’s largest data-hosting cluster, putting the need for elevated cybercrime and data protection systems into sharp focus.”

The ACOI also claims that it is “widely accepted” that the Covid-19 lockdowns and working restrictions have created a more febrile ground for money laundering and cyberattacks.

What can be done? Essentially, the advice for companies and those working from home is to be more vigilant and be cautious about trusting sources of information. It’s also critical to stay current with advice from regulators, both in Ireland and abroad, at least as much as is possible. “Whether it’s keeping your software and security systems up to date, running regular checks or introducing more complex processes such as two-step authentication to your transactions and communications, there are small steps that businesses can take that will help detect and protect them from cyber threats. However, a combination of technology and human resources will always be the best approach to maintaining cyber-safe and secure working practices and operational environments,” Mr Kavanagh said.

Digitisation

According to IBM’s general manger of security, Mary O’Brien, there are solutions both simple and complex to the ever-more important issue of cyber security. “In essence, any digitisation or modernisation of your business has to be done in lockstep with your cyber security programme. Businesses used to have a ‘perimeter’ – an office where people worked or a data centre or a specific ‘computer room’ but the rise of personal digital devices has changed all of that. Unless you reconsider how you ‘do’ security as you modernise your business, you’re taking a huge risk.

“Take advantage of technology that uses artificial intelligence (AI) that has the capability to learn behaviour. Once a pattern of suspicious activity is spotted, that activity can be learned so that you don’t get fooled again, and building on those patterns will allow you to automate responses.

“The most common form of threat is ransomware through a phishing email, and the most simple yet effective security measure you can take is to educate your staff to learn to spot the signs, the link in the email, the spelling mistakes, all of which could alert you and every person in your organisation to the dangers. Your workforce can be the human line of defence in your systems. Invest time to secure your data, know where your data is stored, know where the sensitive data is and know who’s accessing it and if they need to,” said Ms O’Brien.