Dealing with digital paralysis: Surviving a cyberattack in a National Cancer center

J Cancer Policy. 2024 Mar:39:100466. doi: 10.1016/j.jcpo.2023.100466. Epub 2024 Jan 2.

Abstract

Introduction: Cyberattacks represent a growing threat for healthcare delivery globally. We assess the impact and implications of a cyberattack on a cancer center in Ireland.

Methods: On May 14th 2021 (day 0) Cork University Hospital (CUH) Cancer Center was involved in the first national healthcare ransomware attack in Ireland. Contingency plans were only present in laboratory services who had previously experienced information technology (IT) failures. No hospital cyberattack emergency plan was in place. Departmental logs of activity for 120 days after the attack were reviewed and compared with historical activity records. Daily sample deficits (routine daily number of samples analyzed - number of samples analyzed during cyberattack) were calculated. Categorical variables are reported as median and range. Qualitative data were collected via reflective essays and interviews with key stakeholders from affected departments in CUH.

Results: On day 0, all IT systems were shut down. Radiotherapy (RT) treatment and cancer surgeries stopped, outpatient activity fell by 50%. hematology, biochemistry and radiology capacity fell by 90% (daily sample deficit (DSD) 2700 samples), 75% (DSD 2250 samples), and 90% (100% mammography/PET scan) respectively. Histopathology reporting times doubled (7 to 15 days). Radiotherapy (RT) was interrupted for 113 patients in CUH. The median treatment gap duration was six days for category 1 patients and 10 for the remaining patients. Partner organizations paused all IT links with CUH. Outsourcing of radiology and radiotherapy commenced, alternative communication networks and national conference calls in RT and Clinical Trials were established. By day 28 Email communication was restored. By day 210 reporting and data storage backlogs were cleared and over 2000 computers were checked/replaced.

Conclusion: Cyberattacks have rapid, profound and protracted impacts. While laboratory and diagnostic deficits were readily quantified, the impact of disrupted/delayed care on patient outcomes is less readily quantifiable. Cyberawareness and cyberattack plans need to be embedded in healthcare.

Policy summary: Cyberattacks pose significant challenges for healthcare systems, impacting patient care, clinical outcomes, and staff wellbeing. This study provides a comprehensive review of the impact of the Conti ransomware attack on cancer services in Cork University Hospital (CUH), the first cyberattack on a national health service. Our study highlights the widespread disruption caused by a cyberattack including shutdown of information technology (IT) services, marked reduction in outpatient activity, temporary cessation of essential services such as radiation therapy. We provide a framework for other institutions for mitigating the impact of a cyberattack, underscoring the need for a cyberpreparedness plan similar to those made for natural disasters and the profound legacy of a cyberattack on patient care.

Keywords: Cancer care; Cyberattack; Cyberpreparedness; Cybersecurity; Radiation; Technology; Therapy.

Publication types

  • Review

MeSH terms

  • Delivery of Health Care
  • Humans
  • Ireland / epidemiology
  • Neoplasms* / complications
  • Organizations
  • State Medicine*