In May of 2017, we all became familiar with WannaCry. The ransomware attack affected over 200,000 computers in 150 countries, but we were particularly aware of the effects on the UK’s NHS, who experienced an unprecedented shutdown of IT systems in many hospitals over the course of a single day. Operations and clinics had to be cancelled and ambulances diverted to different hospitals because a computer virus, or malware, was preventing clinicians from accessing the essential clinical information they needed to look after their patients. This was a wakeup call for healthcare everywhere, and thanks to some quick thinking and hard work across the entire HSE, we were able to stop the virus from spreading through our own IT systems. We learned many lessons over the course of that week and we are now preparing to tackle cybersecurity head on.
Technology isn’t Enough
One of the key lessons from the WannaCry attack was that technology can be the weakest link. However, technology is only one part of the puzzle of protecting our health system and by itself it isn’t enough. Certainly, outdated IT systems with poor security could leave our health system exposed to cyberattacks. Additionally, we must have back-up plans so that we can continue to care for patients effectively even if our IT systems are taken down, however the effects of those attacks can also be prevented by people and processes. The #THINKB4UCLICK campaign was really effective, because it was so widely accepted and adopted by all of you working in the Irish healthcare system. Moving forward, we must start training, educating and supporting our frontline staff so that they can develop safe internet practices, recognise harmful e-mails and report suspicious activities. We are only as strong as our weakest link, wherever that may be!
Cybersecurity is about Patient Safety
What we learned from the NHS is that patients can be harmed when there isn’t enough investment in cybersecurity and when its treated as only an IT issue. In the NHS it is estimated that 19,000 hospital appointments were affected, including nearly 140 potential cancer referrals; ambulances and individuals were diverted away from 5 major A&E departments, and there were many other immeasurable knock-on effects. When clinic appointments and operations are being cancelled, then patient care is being disrupted which can obviously be a source of harm. When it reaches the point where ambulances are being diverted leading to delays in sometimes urgent scenarios, then at that point you can’t deny that any cyber threat is a threat to patient safety. Starting now, we will encourage and support all healthcare organisations and their leaders to view cybersecurity as an essential factor in patient care, especially as we are well on our way to an eHealth revolution in Ireland. If you would like to know a little more about the eHealth Ireland response to these threats, follow this link.
What can you do?
It’s important that we all take personal responsibility, rather than expecting it all to be sorted by IT departments or management. Many HSE staff have already taken the Good Information Practices module – if you haven’t, log on to HSEland and try it. It’s 20 minutes well spent. More than anything else, we need to be aware of the dangers lurking in the online world, or through other inadvertent introduction to systems e.g. CDs or USB keys. So inform yourself about the risks that exists, and the good practices that we can all adopt to avoid them. Don’t be afraid to ask for help or advice, and remember – Think b4 u click!