Concern grows in Ireland over fallout from cyberattack

2021 07 12 18 15 8578 Irish Flag Textured 400

Two months after a major cyberattack in Ireland, the full consequences for patients and healthcare services are only starting to emerge.

"A particular concern is those studies which had to be postponed due to the cyberattack," Dr. Adrian Brady, a consultant radiologist at Mercy University Hospital in Cork, told on 12 July. "Like all hospitals, we're trying to rebook patients and get their investigations done as quickly as we're able, but due to staff holidays impacting capacity, summer isn't a great time to try to add capacity to a system that already works full-tilt."

Dr. Adrian Brady.Dr. Adrian Brady.

Emergency departments are busy, and the pressure on services is high, without taking into account the need to "catch up" on the work delayed because of the attack, he added. In Cork, systems are still running more slowly than usual, and there are still backlogs of activity from the period of the cyberattack that have yet to be resolved.

"We're getting there, but it will be months before all the consequences of the attack are ironed out," said Brady, who is first vice president of the European Society of Radiology. "Gradually, we have reverted to using our normal PACS/RIS again, at varying levels of normality, depending on the individual hospitals. Nonetheless, things are far from normal."

Cancer diagnoses

In an article posted on 11 July by the Irish Examiner, Prof. Rob Landers, vice president of the Irish Hospital Consultants Association (IHCA), expressed specific concerns around delayed cancer diagnoses.

"If there is a high suspicion that a patient has a cancer, that is always treated as urgent, and it will go through," he said. "The worry is that there are several in that (backlog) who have cancer, and nobody really suspects [it] yet. They could face a delay of eight, 10, 12 weeks in getting their diagnosis."

There is a large backlog of tissue samples sent to histopathology laboratories to be checked for potential cancers, he told the Irish Examiner.

"The cyberattack completely crippled the laboratory and radiology systems," he said. "We effectively could only do about 5% of normal activity for a good three to four weeks."

Brady disagrees, however. "It wouldn't be correct to say that radiology activity dropped to 5% to 10% of normal as a result of the cyberattack; it couldn't," he told "All departments operated workarounds to keep critical services running, albeit very imperfectly."

A pathologist usually assesses between 1,800 and 2,000 samples annually and aims for a 10-day turnaround, Landers continued. The backlog at University Hospital Waterford, where he works, is between 1,000 and 1,500 cases.

"I imagine a lot of the other histopathology labs would have a similar issue," he told the Irish Examiner. "So, the scale of the backlog in Waterford currently, you could almost argue, is one consultant for a whole year doing nothing else but addressing that kind of backlog."

The IHCA has called for more information technology (IT) funding from the Health Service Executive (HSE) in Ireland.

"It doesn't seem to be a priority for the HSE, which is a pity. It really does hinder efficiency and quality and safety," he said. "We have a myriad of different IT systems operating across the health services; they need to be tied together."

Real difficulties

At the HSE's UL Hospitals Group, comprising six hospital sites in the midwest of Ireland, chief operations officer Noreen Spillane said the 14 May cyberattack has been "really difficult" for patients following months of cancellations caused by the pandemic.

"We were just getting back up and running, and the cyberattack happened," she told the Irish Examiner. Spillane estimates that by early May, appointments had been back "almost to 89% of where we were pre-COVID."

Around 10,000 patients missed out on appointments following the cyberattack, including thousands of virtual appointments, she said, noting that approximately 39,000 patients were treated online across the hospital group in 2020.

Spillane said a lot of the cancellations were for elective surgery, as doctors had no access to blood tests or scans. This month, the emergency department at University Hospital Limerick has seen record numbers coming through. "Those patients are coming back in now for whatever was needed that we couldn't provide at the time," she told the Irish Examiner.

Patient details had to be taken down on paper, and merging these back into digital records continues. Staff have been using an app to communicate, as even telephones were down during the first difficult weeks.

"It is going to be weeks before we are really back to normal," Spillane said. "We are just about getting back now; patient safety was the most critical thing in all of this."

Serious data breach

HSE CEO Paul Reid told the Irish Examiner he is not aware of further releases of patient data by the criminal gang since information on 520 patients was released in May.

HSE CEO Paul Reid. Photo courtesy of the HSE.HSE CEO Paul Reid. Photo courtesy of the HSE.

An analysis of how the breach occurred is being carried out with security firm Mandiant Consulting. The High Court heard last Thursday that an IT link through which the criminals were communicating with the HSE shut down in mid-June.

The HSE posted its last update on 21 June, noting that healthcare services continue to be severely impacted by the cyberattack. IT teams continue to work around-the-clock seven days a week to restore services, but this restoration work must be done in a very safe way, it said.

According to Brady, this statement is reasonable, since the state of play varies substantially from site to site, and the HSE couldn't really issue a statement giving an overall indication of current status.

Page 1 of 1240
Next Page