A week from hell as health service grapples with cyberattack

The HSE has had its hardest year dealing with Covid. Now it has had its hardest week

A week after the attack occurred, inpatient procedures and chemotherapy services were down 50 per cent on normal levels while inpatient and endoscopes were down 70-80 per cent. Photograph: Alan Betson / The Irish Times
A week after the attack occurred, inpatient procedures and chemotherapy services were down 50 per cent on normal levels while inpatient and endoscopes were down 70-80 per cent. Photograph: Alan Betson / The Irish Times

Fifteen months into a pandemic, just when it seemed things were looking up, along came the cyberattack to upend the health service and deliver the week from hell.

"The hardest six days of my working life," was how paediatric radiologist Dr Gabrielle Colleran described her state of exhaustion after a week of shutdowns and work-arounds in the Dublin hospitals where she works.

"A major disaster," said Dr Vida Hamilton, who as the HSE's national clinical adviser for acute operations played a central role in trying to prevent the system coming to a complete collapse. "We know nothing about the individual. We have no charts, no record number."

This experience of “flying blind” was widespread across the system; from oncologists deprived of scan information about their patients in the operating theatre to psychiatrists in clinics making decisions about vulnerable people without access to their records.

READ MORE

Just as with Covid-19, the cyberattack hit hard and wide, but the damage wrought was not uniform. HSE-run hospitals were hit worst; voluntary hospitals less so. Most GPs could just about manage, but everyone’s problems are mounting the longer the enforced computer shutdown lasts.

A week after the attack occurred, inpatient procedures and chemotherapy services were down 50 per cent on normal levels while inpatient and endoscopes were down 70-80 per cent.

Sharing scans

Radiology was one of the worst-affected areas, due to its dependence on centralised IT for sharing scans. But with emails down across the health service, the disruption spread from hospitals to the community, as GPs were no longer able to make referrals or order tests.

In hindsight, the HSE deserves credit for the rapid shutdown of the system once the attackers hit. In the days that followed, the initial sense of shock mutated into a grim determination to restore services despite the absence of computer infrastructure.

The HSE explicitly rejected any suggestion outdated software could have played a role in the breach of its IT security

It was a “back to the 70s” week for the health service, thanks to a new-found reliance on pen and paper, and redeployed staff serving as “runners” to deliver scans and paper files.

“Shoulders to the wheel, solutions-focused, trying to minimise the patient impact,” as Colleran described it.

Caution was the watchword as the predominant fear on the minds of staff was the risk of patient harm caused by the loss of precise information about patient histories or historical scans. The price for caution was long delays in the services that were operating.

As the week progressed, some services returned while backlogs in others mounted.

Prevented

Questions started to be asked about how this disaster could have happened, and whether it could have been prevented. The HSE explicitly rejected any suggestion outdated software could have played a role in the breach of its IT security. Despite the abundant use of ancient versions of Microsoft Word across the health service, officials said this was not a factor in what happened.

“IT services in the HSE are grossly understaffed and inadequate for the maintenance of complex national electronic records like Nimis [the electronic storage system for scans],” one doctor told The Irish Times. A proposal for parallel servers for the system was turned down due to lack of funding, he claimed.

The long-standing technology challenges faced by the health service were never more apparent than during the pandemic, when the lack of a proper e-health system made it hard to keep track of Covid-19. Recent cyberattacks on US health agencies do not seem to have caused any alarm bells to go off in Ireland or, if they did, not enough to make a difference.

The HSE is still struggling to find the cause of the security breach, not surprising perhaps in a service with 150,000 access points, 2,000 different systems and 4,500 servers. As the hackers lead a merry dance and exhausted staff continue to mop up, attention will turn to Monday, when the widespread release of patient data has been threatened. Just as with the virus, things may get worse before they get better.

Paul Cullen

Paul Cullen

Paul Cullen is a former heath editor of The Irish Times.