Cyberattacks on health systems are not black swan events and must be addressed in a robust manner with comprehensive cybersecurity strategies, policy, and adequate resourcing to prevent recurrence 

Globally, healthcare professionals have been fighting a biological virus, SARS-CoV-2, for over a year. In addition to the coronavirus, the national health service in Ireland has recently been attacked by another virus, a digital virus, which crippled the provision of healthcare. However Ireland is not alone, with similar viral cyber attacks happening in hospitals in New Zealand and the USA. 

Digital viral threats to health systems have the potential to cause local, national, and international harm to patients, resulting in a “pandemic” of digital extortion. Hospitals are not exempt and are prime targets for ransomware attacks as they hold sensitive patient data. Hospital networks and medical devices are critical infrastructure for human health and therefore should have appropriate cybersecurity infrastructure to protect from cyberattacks.

The recent cyberattack that affected the Irish healthcare system was a human-operated ‘Conti’ ransomware attack that severely disabled the healthcare system’s information technology (IT) capability. This necessitated the shutdown of the entire health IT system to assess and limit the impact. Many Irish hospitals were forced to cancel all outpatient clinics and elective procedures, which have only just started to recover from the impact of covid-19. Inpatient teams had to revert to pen and paper. 

National healthcare systems are often vulnerable to cyberattacks due to budgetary constraints and siloed, diverse legacy IT systems. Out of date computer hardware assets, unable to run contemporary operating systems and software such as web-browsers is akin to using medieval defences against a modern enemy. 

Ransomware attacks, a type of “digital virus,” have increased globally across all industries and sectors. 

For health systems, not only does ransomware pose the threat of sensitive data being leaked or sold, it also poses an immediate risk to patients. Health systems are heavily reliant on IT systems for daily work. While systems are inaccessible, or incomplete, patient care is significantly delayed. It severely slows diagnostics, and potentially causes an increase in patient morbidity and mortality. 

Digital transformation can improve patient outcomes and deliver more cost-efficient healthcare. Therefore most health systems have moved to integrate IT systems to improve access and communication between different sectors within healthcare. In addition, there has been huge innovation and adoption of digital technologies for remote monitoring and treatments. (O’Keeffe D, et al). 

However digital transformation and cybersecurity must go hand in hand, especially when it comes to patient data and safety. Multiple studies (Abraham C, et al, Coventry L, Bhuyan et al.,Martin G, et al) have highlighted the challenges of cybersecurity in the healthcare setting. Addressing cybersecurity requires infrastructural change, behavioural change, appropriate governance, and adequate resourcing. This is not the first time, nor will it likely be the last time, a health system falls victim to ransomware. The WannaCry malware attack, which disrupted care in approximately 40 NHS hospitals should have served as worldwide “wake up call” to ensure robust cybersecurity in healthcare infrastructure, which unfortunately it appears, it did not. More recently, an attempt was made to extort mental health patients in Finland with the threat of releasing their medical records. It not only targeted the health organisation, but attempted to demand ransom from individual patients. Therefore prevention of “digital infections,” via robust cybersecurity strategy, policy, and resources in the healthcare setting is as important to patient welfare as clinical care. (Martin G, et al) 

Just like the need to prepare for future pandemics, global healthcare infrastructure must plan for future cyberattacks. We would be remiss to “return to normal” without learning from our present circumstances. It is evident by the major disruption caused by both the Covid-19 pandemic and a cyberattack in the past year, that major changes are necessary in healthcare planning to minimise negative impacts on our patients going forward, when these events happen again, which they will.

Aoife Murray, postgraduate physician researcher in Digital Health at the Health Innovation Via Engineering (HIVE) Laboratory, School of Medicine, National University of Ireland, Galway.

Derek O’Keeffe, consultant physician at University Hospital Galway, Ireland; professor of Medical Device Technology at CÚRAM – SFI Research, Centre for Medical Devices, National University of Ireland, Galway (NUIG); Digital Health Principal Investigator at HIVE Laboratory and Lero – SFI Centre for Software Research, NUIG.

Competing interests: none declared.