Rachel J. Keogh , Harry Harvey , Claire Brady , Edel Hassett , Seán J. Costelloe , Martin J. O’Sullivan , Maria Twomey , Mary Jane O’Leary , Mary R. Cahill , Aideen O’Riordan , Caroline M. Joyce , Ger Moloney , Aileen Flavin , Richard M Bambury , Deirdre Murray , Kathleen Bennett , Maeve Mullooly , Seamus O’Reilly
{"title":"Dealing with digital paralysis: Surviving a cyberattack in a National Cancer center","authors":"Rachel J. Keogh , Harry Harvey , Claire Brady , Edel Hassett , Seán J. Costelloe , Martin J. O’Sullivan , Maria Twomey , Mary Jane O’Leary , Mary R. Cahill , Aideen O’Riordan , Caroline M. Joyce , Ger Moloney , Aileen Flavin , Richard M Bambury , Deirdre Murray , Kathleen Bennett , Maeve Mullooly , Seamus O’Reilly","doi":"10.1016/j.jcpo.2023.100466","DOIUrl":null,"url":null,"abstract":"<div><h3>Introduction</h3><p>Cyberattacks represent a growing threat for healthcare delivery globally. We assess the impact and implications of a cyberattack on a cancer center in Ireland.</p></div><div><h3>Methods</h3><p>On May 14th 2021 (day 0) Cork University Hospital (CUH) Cancer Center was involved in the first national healthcare ransomware attack in Ireland. Contingency plans were only present in laboratory services who had previously experienced information technology (IT) failures. No hospital cyberattack emergency plan was in place. Departmental logs of activity for 120 days after the attack were reviewed and compared with historical activity records. Daily sample deficits (routine daily number of samples analyzed – number of samples analyzed during cyberattack) were calculated. Categorical variables are reported as median and range. Qualitative data were collected via reflective essays and interviews with key stakeholders from affected departments in CUH.</p></div><div><h3>Results</h3><p><span><span>On day 0, all IT systems were shut down. Radiotherapy (RT) treatment and cancer surgeries stopped, outpatient activity fell by 50%. </span>hematology<span>, biochemistry and radiology<span> capacity fell by 90% (daily sample deficit (DSD) 2700 samples), 75% (DSD 2250 samples), and 90% (100% mammography/PET scan) respectively. Histopathology reporting times doubled (7 to 15 days). Radiotherapy (RT) was interrupted for 113 patients in CUH. The median treatment gap duration was six days for category 1 patients and 10 for the remaining patients. Partner organizations paused all IT links with CUH. Outsourcing of radiology and radiotherapy commenced, alternative communication networks and national conference calls in RT and </span></span></span>Clinical Trials were established. By day 28 Email communication was restored. By day 210 reporting and data storage backlogs were cleared and over 2000 computers were checked/replaced.</p></div><div><h3>Conclusion</h3><p>Cyberattacks have rapid, profound and protracted impacts. While laboratory and diagnostic deficits were readily quantified, the impact of disrupted/delayed care on patient outcomes is less readily quantifiable. Cyberawareness and cyberattack plans need to be embedded in healthcare.</p></div><div><h3>Policy Summary</h3><p>Cyberattacks pose significant challenges for healthcare systems, impacting patient care, clinical outcomes, and staff wellbeing. This study provides a comprehensive review of the impact of the Conti ransomware attack on cancer services in Cork University Hospital (CUH), the first cyberattack on a national health service. Our study highlights the widespread disruption caused by a cyberattack including shutdown of information technology (IT) services, marked reduction in outpatient activity, temporary cessation of essential services such as radiation therapy. We provide a framework for other institutions for mitigating the impact of a cyberattack, underscoring the need for a cyberpreparedness plan similar to those made for natural disasters and the profound legacy of a cyberattack on patient care.</p></div>","PeriodicalId":38212,"journal":{"name":"Journal of Cancer Policy","volume":"39 ","pages":"Article 100466"},"PeriodicalIF":2.0000,"publicationDate":"2024-01-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cancer Policy","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2213538323000838","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"HEALTH POLICY & SERVICES","Score":null,"Total":0}
引用次数: 0
Abstract
Introduction
Cyberattacks represent a growing threat for healthcare delivery globally. We assess the impact and implications of a cyberattack on a cancer center in Ireland.
Methods
On May 14th 2021 (day 0) Cork University Hospital (CUH) Cancer Center was involved in the first national healthcare ransomware attack in Ireland. Contingency plans were only present in laboratory services who had previously experienced information technology (IT) failures. No hospital cyberattack emergency plan was in place. Departmental logs of activity for 120 days after the attack were reviewed and compared with historical activity records. Daily sample deficits (routine daily number of samples analyzed – number of samples analyzed during cyberattack) were calculated. Categorical variables are reported as median and range. Qualitative data were collected via reflective essays and interviews with key stakeholders from affected departments in CUH.
Results
On day 0, all IT systems were shut down. Radiotherapy (RT) treatment and cancer surgeries stopped, outpatient activity fell by 50%. hematology, biochemistry and radiology capacity fell by 90% (daily sample deficit (DSD) 2700 samples), 75% (DSD 2250 samples), and 90% (100% mammography/PET scan) respectively. Histopathology reporting times doubled (7 to 15 days). Radiotherapy (RT) was interrupted for 113 patients in CUH. The median treatment gap duration was six days for category 1 patients and 10 for the remaining patients. Partner organizations paused all IT links with CUH. Outsourcing of radiology and radiotherapy commenced, alternative communication networks and national conference calls in RT and Clinical Trials were established. By day 28 Email communication was restored. By day 210 reporting and data storage backlogs were cleared and over 2000 computers were checked/replaced.
Conclusion
Cyberattacks have rapid, profound and protracted impacts. While laboratory and diagnostic deficits were readily quantified, the impact of disrupted/delayed care on patient outcomes is less readily quantifiable. Cyberawareness and cyberattack plans need to be embedded in healthcare.
Policy Summary
Cyberattacks pose significant challenges for healthcare systems, impacting patient care, clinical outcomes, and staff wellbeing. This study provides a comprehensive review of the impact of the Conti ransomware attack on cancer services in Cork University Hospital (CUH), the first cyberattack on a national health service. Our study highlights the widespread disruption caused by a cyberattack including shutdown of information technology (IT) services, marked reduction in outpatient activity, temporary cessation of essential services such as radiation therapy. We provide a framework for other institutions for mitigating the impact of a cyberattack, underscoring the need for a cyberpreparedness plan similar to those made for natural disasters and the profound legacy of a cyberattack on patient care.