Cyberattack on HSE systems prompts cancellation of key medical procedures

Disruption set to persist into next week as Taoiseach vows ransom will not be paid

Taoiseach Micheál Martin: “We’re very clear we will not be paying any ransom.” Photograph: Daragh McSweeney

Taoiseach Micheál Martin: “We’re very clear we will not be paying any ransom.” Photograph: Daragh McSweeney

 

Thousands of procedures, appointments and scans scheduled for patients next week have been cancelled as a result of the biggest cybercrime attack seen in the State.

The Health Service Executive says the disruption caused by the attack on its IT system will last well into next week, forcing the cancellation of many services.

“It’s not just that appointments have to be cancelled, but you can’t even see who has an appointment,” said a senior source.

Most elective work early next week is likely to be deferred, as diagnostic information from scans and other tests is not available online.

The attack will place further pressure on a health system already struggling with the consequences of the 14-month Covid-19 pandemic. More than 630,000 patients are waiting for an outpatient appointment and 79,000 are on the in-patient waiting list, according to figures published.

There were indications on Friday night that the attack had not been confined to the HSE.

Minister of State at the Department of Public Expenditure and Reform Ossian Smyth said the office of the Government chief information officer had identified issues at the Department of Health. He said there may also have been a “serious breach” and that department systems would be examined over the weekend alongside the HSE systems to assess the extent of any damage done

A ransom in bitcoin has been sought by criminal elements behind the attack on the HSE, but the body says this will not be paid, in accordance with State policy.

“We’re very clear we will not be paying any ransom,” Taoiseach Micheál Martin said. “Or engaging in that sort of stuff, so we’re very clear on that.”

“We have the people in place, we have the capacity and we have the systems in place.”

Vaccination continues

He said that the impact had to be dealt with “in a methodical way”. “It will take some days to assess the impact,” he said.

Although the incident brought parts of the health service to a standstill on Friday, vaccination against Covid-19 continued largely unaffected. Over 52,000 people were immunised.

Contact-tracing services and the provision of test results, which run on a separate computer system from the rest of the health service, were restored last night after being disrupted for most of the day.

IT staff in the HSE have yet to determine the extent of damage caused by the “zero-day threat” attack, which means there was no previous experience of how to respond. Nor is it known whether patient data has been compromised.

Over the weekend, they plan to restart individual elements of the HSE’s IT system once they have been risk-assessed and cleared, but the process is expected to continue into next week.

There are fears a second ransom demand may be received, threatening to release patient data if money is not paid.

Chief medical officer Dr Tony Holohan warned the ransomware attack on the HSE would impede the ability of the health service to organise effective testing.

Return to paper

However, the incident should not distract people from the basic public health messages that protect against infection. Patients with symptoms should self-isolate and attend one of the HSE’s self-testing centres, he said.

“We haven’t switched off testing and there is no reason to think the public will deviate from their behaviour,” Dr Holohan said.

The HSE said the attack began at about 4.30am on Friday and that IT staff switched off systems as a “precaution” to protect data.

Emergency, ambulance and most GP services were unaffected, but hospitals were forced to return to the use of paper.

It will be at least three days before the scale of the damage from “possibly the most significant cybercrime attack on the Irish State” is clear, a Government Minister has said.

Mr Smyth said the attack was carried out by a “serious international group”, and was an “order of magnitude” beyond normal cyber attacks launched on State agencies.

“It was targeted – it requires highly skilled operatives to control it,” he said.

The Garda is liaising with the HSE and the National Cyber Security Centre, as well as sharing information with Europol.

Naas hospital and St Luke’s hospital in Dublin said outpatient appointments on Monday had been cancelled, while Wexford has cancelled X-ray and endoscopy appointments. The Royal Victoria eye and ear hospital has cancelled outpatient appointments “until further notice”, while Wexford general hospital will decide on Sunday whether Monday’s appointments go ahead.

In contrast, St Vincent’s University Hospital in Dublin has not cancelled any appointments.