Due to constraints imposed by the cyber attack, we are accommodating alternative ICT arrangements to continue providing healthcare services.
Business units may temporarily use personal ICT resources and email addresses to process HSE data. This includes sending and receiving confidential and restricted data, provided the following guidance is followed.
Guidance for business unit managers:
- Using personal devices and email addresses is deemed necessary to continue the healthcare services you provide
- Carry out a risk assessment on using personal devices and email addresses, and risks identified are accepted and recorded
- Implement appropriate controls to mitigate risks, for example, avoid sharing personal devices with non-HSE staff during this period. You should be particularly careful about connecting to public wifi networks that may not be secure.
- Ensure that the minimum amount of data to provide healthcare services is processed using personal devices and email.
- When using personal email addresses, mark the email as ‘private and confidential’ and check the intended recipient email addresses are correct.
- Inform email recipients in advance that they are being sent an email from a non-HSE account. You should contact them to confirm they received the email (unless a prompt acknowledgment has been received). When your HSE email is restored, ask the recipients to stop using the non-HSE account.
- Where possible, all confidential and restricted data sent via email over unsecured networks (for example the internet) is password protected and encrypted.
- Once normal HSE ICT services have resumed, take immediate action to migrate HSE data processed during this period, back onto the relevant HSE ICT platforms. All copies of HSE data must be removed from third party email platforms and personal devices.
This arrangement is only valid during the constraints imposed by the cyber attack.