The effect of the cyberattack on the Irish health service continues to be felt by doctors and healthcare teams. David Lynch examines the impact to date and lessons from the crisis
The cyberattack in May was not the first incident of this nature on health services. Globally there have been many such attacks, including in May 2017 when the international media headlines reported on a cyberattack that hit the NHS and other organisations. At the time, the HSE Chief Information Officer (CIO) was Mr Richard Corbridge. On the morning the news broke, he was in Wexford attending the AGM of the ICGP. Prior to his address, Mr Corbridge was busy making phone calls co-ordinating the HSE’s immediate response.
In the end, the HSE was largely unscathed during that crisis. However, fast forward to May 2021, and the HSE and the Irish health system was now the specific target of a major cyberattack. Having departed as HSE CIO in late 2017 to pursue opportunities in the UK, Mr Corbridge has been able to view the Executive’s response from a distance. He told this newspaper he has been impressed.
“The key lesson learnt will be that the threat is no longer an ‘if’, but a ‘when’, unfortunately,” Mr Corbridge told the Medical Independent (MI). “This is the same across every area now; the art is no longer in just the protection, but in the recovery and reaction to the issue.” In terms of the response, he said the HSE team “appear to have been amazing in how they have reacted”, adding he believed the public communications “have been phenomenal”.
But the HSE’s first CIO also believed that some new structure to increase staff awareness will need to be contemplated.
“The most basic threat protection is awareness and the health system as a whole, not just the HSE, now needs to again look at how it educates its staff.” Mr Corbridge said there was a role for “a single function to do this across the HSE, health delivery and the Department [of Health]”. This resource now needs “to be looked at and invested in”. He said a key instrument in the fight against such attacks “is knowledge”.
The impact of the May cyberattack on patient services and data has been well documented in the national media. It is also clear that the HSE was aware cyber security was a concern prior to the attack. In May, MI reported that as recently as March, the HSE audit and risk committee had discussed “cyber risks” and sought a general overview of the Executive’s “technological landscape and changing risk profile”, according to minutes.
The meeting was told the “risks over the last year have changed with a rise in focus on cyber risks”. Cyber security was also one of 17 ‘red’ risks on the HSE’s corporate risk register approved by the HSE board in December and seen by MI. That edition of the register noted 26 risks (17 red and nine amber). The HSE is not the only health system that has been targeted by hackers across the globe in recent years. Are health organisations particularly vulnerable to such attacks?
“In some ways, yes,” said Mr Corbridge.
“Health bodies find it harder to invest in cyber security at a simple patching and update level due to the nature of technology implemented into hospitals and health centres, [with] often expensive hardware that is required to exist longer term on specific older operating systems.
“Health is a target and again we come back to the knowledge and education that is needed in healthcare to protect from cyberattack.”
There is probably no good time for a nation’s health system to be the victim of a massive ransomware attack. However, everyone agrees that a year into a global pandemic is among the worst times imaginable. The negative impact on the working lives of doctors and healthcare teams in all areas of the health system was immediate and profound (see panel on page 5).
However, it has not just been clinical staff and their patients who have faced disruption. This has been a hectic time for IT teams working across the health system. “I woke up to a phone call at six o’clock in the morning to say, ‘I think we are in trouble’.” That is how Prof Neil O’Hare, Group CIO, Children’s Health Ireland, described the morning of 14 May. He was speaking at the online Future Health Summit on ‘Cybersecurity outcomes: Integration and IT challenges in healthcare’, which was held at the end of last month and attended by MI.
“I got into the car and was driving into the hospital and then a colleague in the HSE phoned me and said, ‘It’s bad Neil, it’s really bad’.
“And it was very bad.”
Prof O’Hare highlighted the toll the attack had taken on IT staff. He noted that one of the lessons of the attack was the “overreliance” on “very scarce technical experts”.
“Our own teams got totally exhausted. By the middle of week two, especially in one hospital where they were working almost 24 hours a day, they [IT staff] were ‘gone’ [with fatigue], they were really suffering,” he told the summit.
He added that private industry and the HSE provided support, but the attack had proven the need for hospitals and the health system to “grow” internal teams of IT staff and experts.
“During Covid there was a big focus on the frontline heroes, but I just also want to make the call out to my own team and all the IT teams across the country and operation teams, the people that are often forgotten about. They for me are huge heroes [during the cyberattack].” In terms of other lessons to be learned, Prof O’Hare said that “we need a better view of data security”. He added there was much work to be done in the recovery process.
“We have to start looking at back-loading of data, and that became a real issue, because bear in mind we had gone totally manually,” he said.
“So every patient was registered manually, all their details were taken manually. Now we have to go back and put that information back in.” He described this as “slow, careful, methodical work that needs to be done”.
He noted that the use of Windows 7 in the health service had been criticised. However, Prof O’Hare stated “we have to use” Windows 7 as “many of our applications still need Windows 7”. He said that “we would like to get rid of it, but we can’t until certain other systems are upgraded or replaced”.
With the health system’s IT staff focused on dealing with the fallout from the attacks, some have raised concerns that this may slow progress of the broader e-health agenda within the HSE. Mr Corbridge told MI: “The attacks are a drain on finance and time… and health systems must be resourced properly to ensure that when it does happen it is managed by experts in the field. Running the health system’s technology must continue at the same time.”
Thinking back to his old HSE position, he added: “I am certain that right now, and since the incident, every bit of focus of the entire Office of the CIO will have been on this issue.” He said the cost of this focus – not just financially, but in terms of “missed opportunity” in delivering the e-health agenda – “must not be underestimated”.
“Give the CIO the resource to support recovery; the resource then can and must be pointed at protection and preparation for the future. ”Since May there have been improvements, but the impact continues across the entire service.
“As part of remediation following the cyberattack, we are working to strengthen our network against future cyber threats, increase the cyber profile of the HSE and apply lessons from the present attack,” a HSE spokesperson told MI.
The spokesperson described this work as “ongoing”. They said an interim “multi-supplier security operations centre” is in the process of being agreed.
Ms Anne O’Connor, HSE Chief Operations Officer, told a press briefing on 8 July that the Executive was still dealing “with just reintroducing systems”, but that “huge progress” had been made. She noted that “our email is back” and “remote connectivity”, while the HSE was “still working on getting the VPN back and our internet access has been restored and that is stable”.
“So we have access to a lot more now this week. In terms of the actual systems, 80 per cent of our servers are decrypted so 3,933 and that’s just five up from last week and we’ve 83 per cent of our end-user devices, so just over 69,000,” said Ms O’Connor.
“In terms of our systems, we’ve good progress made. So we now have 52 per cent [of] sites with functioning patient management systems and that’s an increase of six on the number reported last week.” She said “we are making huge progress”, but that there were still gaps “being worked through on a daily basis”.
Department of Health
The Department of Health was also a target of the May cyberattack. However, a spokesperson said the situation had “improved significantly”.
“Access to key ICT systems was fully restored within a short period, with limited issues accessing niche or legacy systems currently being resolved,” the Department spokesperson told MI.
“The incident and subsequent access issues created significant backlogs in a number of areas which the Department is quickly working to clear.”
In terms of actions taken, the spokesperson said improved security measures have already been put in place within the Department’s IT systems.
“A complete security review of the Department’s infrastructure was undertaken. Specialised monitoring software has been installed to mitigate against malicious software and to provide early warning notifications of same,” said the spokesperson.
“The Department of Health continues to liaise closely with the National Cyber Security Centre, the Office of the Government Chief Information Officer, our security partner and with colleagues across the public service to ensure that best practice is followed as it relates to all aspects of cyber security.” Asked whether the perpetrators of the attack had contacted the HSE in recent weeks, the Executive said this was a matter for An Garda Síochána.
“The Garda Síochána investigation into the ransomware attack on the HSE is ongoing,” the Garda press office told MI. “The Garda National Cyber Crime Bureau, in conducting its investigation into this cyber crime, is continuing to work closely with the HSE and international law enforcement agencies.”
A crisis within a crisis
The cyberattack hit only a few weeks after the one-year anniversary of the start of the Covid-19 pandemic in Ireland.
Within hours of the HSE confirming the attack, and over the following days, doctors took to social media to describe the serious disruption to their work practices. All of these challenges were compounded by the ongoing pandemic.
The cyberattack caused instant difficulties in mental health services.
“Staff in mental health services depend heavily on communication technology, so the problems with email
and other forms of communication presented real issues,” Prof Brendan Kelly, Consultant Psychiatrist at Tallaght University Hospital, told the Medical Independent (MI). “This was hugely stressful for staff.” He said the impact of the pandemic had already seen much of the mental health services migrate online.
“We were also doing remote consultations owing to the pandemic, so our reliance on technology was greater than usual,” said Prof Kelly, who noted this “amplified the impact of the cyberattack”. In terms of general practice Dr Ray Walley, GP in north Dublin and former IMO President, said the main impact of the attack has been on access to diagnostics. He said that “the IT motorway that allowed Covid and community and hospital referrals” was “summarily stopped”.
Dr Walley told MI the cyberattack impacted the hospital referral system with GPs advising patients of “possible roadblocks” and if “in doubt [to] contact [the] hospital to confirm receipt of referrals”. He said although the system was emerging from the impact of the cyberattack, challenges linger in a fairly significant way.
“GPs are receiving weeks of backlog of test results and letters. The hours are longer, the business of Covid referrals has been replaced by this backlog…. The knock-on effect has been increased hours, increased stress.” However, some sectors of the health service were not as affected. Dr Maeve Eogan, National Clinical Director of the Sexual Assault Treatment Units (SATUs) and Consultant Obstetrician and Gynaecologist at the Rotunda Hospital, Dublin, told MI: “In terms of clinical care, the SATU [service] was not affected by the cyberhack.
“We do not use an electronic patient record, and therefore no identifiable patient data was compromised. Obviously there were some communication issues encountered around the time of the cyber hack – people will frequently use email to schedule or change follow-up appointments, for example – so we really noticed the absence of this.”
She added the SATUs also collect anonymous outline details on everyone who attends. This includes age, gender, type of incident, duration since incident, relationship to assailant, care administered, etc. This information is inputted with no patient identifiers by each of the SATUs into a HSE-hosted database and it enables the SATU service to monitor trends and produce activity reports including the annual review.
“While this database was not compromised by the cyber hack, it has been unavailable to us since 14 May, so we do not have up-to-date statistics for that period of time,” said Dr Eogan.
“Work is ongoing to get it back up and running, and clearly data can be inputted retrospectively – but we miss having access to that in terms of monitoring activity levels and ensuring our service is fit-for-purpose.” Hospitals have also faced specific challenges following the cyberattack, particularly the country’s 28 EDs. Last month, the Irish Association for Emergency Medicine raised concerns over “record daily numbers of patients in the past few weeks which has resulted in severe congestion and delays”, especially for those with less acute care needs.
The Association added that this “sharp increase” was occurring at a time when “very few EDs have a fully functioning suite of ICT as a result of the cyberattack on the HSE in mid-May”.
“This, in turn, is contributing to delays as many previously ICT-enabled processes continue to have to be performed manually or are being performed with significantly limited ICT functionality.
“The fact that the effects of the cyberattack are still so significant so long after the attack is a reflection of the level of destruction the attack wreaked on the HSE’s ICT infrastructure.”
Rethinking the e-health agenda?
While doctors and patients still live with some of the results of the attack, minds are beginning to move to the future and what lessons can be learned. Does this cyberattack demand a rethink of the entire e-health agenda?
“It should not and in reality cannot,” former HSE Chief Information Officer Mr Richard Corbridge told the Medical Independent.
“You don’t stop driving because you might have a bump. You educate to avoid the bump and put in place a process so that when the bump happens, all the support you need is in place.” He said healthcare can only deliver in a post-pandemic world “with technology not just as a foundation, but as a transformation catalyst”.
The “main lesson” from this crisis is the “importance of investment in IT” and ensuring “less centralisation of data”, stated Dr Ray Walley, GP in north Dublin and former IMO President.
“Equally there needs to be more local management with decision-making devolved. “This is why general practice is more secure. There can be centrally provided protocols in place and centrally provided resources but a more segmented approach is safer, with many ‘safes’ and many keys to the ‘safe’. In the same way as routine fire drills, we need the same approach to computer and data safety.”
Dr Walley pointed to Estonia as a country that provides a “good example of this”. “In their 2007 attack they utilised their experience to invest and energise change to becomes world leaders. We need to do similar.” Prof Brendan Kelly, Consultant Psychiatrist at Tallaght University Hospital, said the “chief lesson” of the cyberattack “is that we need to devote more attention to the role of technology” in Irish healthcare.
“Electronic patient records hold enormous potential, especially across hospitals, but the cyberattack emphasises the need for robust security and emergency procedures,” he told this newspaper.
“The cyberattack should not delay access to the advantages that technology offers, but it should inform future developments in a balanced way.” However, Prof Kelly said there was a “broader” lesson from the cyberattack.
“Contact and connection lie at the heart of patient care, health system organisation and collegial networks,” he said.
“Communication technologies have helped greatly with these, but the human factor is also central. In 1978, journalist Bernard Levin wrote in The [London] Times that ‘the silicon chip will transform everything, except everything that matters, and the rest will still be up to us’.”