HSE uneasy about restarting record-sharing system between hospitals

Cyberattack like ‘a missile dropped’ into health service with the impact unknown

The HSE remains “very nervous” about switching on its patient information system to allow hospitals to share important records after the crippling cyber attack, a top health official has said.

Health Service Executive chief operations officer Anne O’Connor said the “big bang” in progress in the post-attack recovery was turning on the information system to allow patient records to be shared.

Progress has been made in restoring the HSE’s system to capture, store and share radiology, cardiology and other diagnostic images within specific hospitals and their laboratories.

By the end of this week, there will be just six of 48 hospitals that have not restored this system.

However, the bigger challenge facing the HSE is opening up firewalls within the IT system to allow information to flow out of hospitals into other hospitals, to GPs or other services.

“In opening up our system, the firewall is the big question. We have a lot of very nervous people about that because as soon as we open that up anything can get in,” said Ms O’Connor.

The HSE was forced to shut down its IT systems on May 14th following a severe ransomware attack that encrypted data stored on the central servers of the national health service.

Ms O’Connor said the HSE was still trying to assess the extent of the damage caused by the attack and may not know the full impact until all IT systems have been switched back on.

“This is like somebody dropped a missile into the health service and we are left trying to figure out what it was and then what is the impact of it. We are still assessing the impact,” she said.

Ms O’Connor said that the stress on the system was “across the board” and that restoring the IT services across the service would be “protracted”.

The HSE had to devise “workarounds” involving people doing jobs they have never done before, including “a huge number” working as “runners” delivering records in hospitals, she said.

The HSE had restored radiotherapy services in Galway to a limited capacity on Wednesday and would have them back up and running for scheduled patient appointments on Thursday.

Restoring these services in Cork would be “a bit slower”, said Ms O’Connor.

The HSE normally treats about 14,000 outpatients a day. But this was running at about 50 per cent capacity, adding to the post-pandemic backlog of cases by about 7,000 a day.

Samples awaiting test

Voluntary hospitals have resumed services but laboratories were operating at 20 per cent of normal levels, resulting in many blood samples sitting untested and in danger of expiring.

“We have a lot of tests that are going to have to be repeated,” she said.

The biggest risk in the community was in the mental health services where there is still no access to patient records.

Ms O’Connor said the stress on staff managing the fallout from the attack was immense.

“We have medical scientists who cannot sleep because they are looking at the number of samples they cannot test that they know are expiring . . . for people who may be very sick,” she said.

Thirteen days after the attack, the HSE has still not seen evidence that hacked patient data is appearing online despite threats to do so by the cyberattackers.

Meanwhile, in the Government's response to the cyberattack, Minister of State for Communications Ossian Smyth said there will be no "penny pinching" when the Government makes renewed efforts to hire a director for the National Cyber Security Centre.

In an appearance at the Oireachtas communications committee, he downplayed a suggestion the salary would have to be as high as €290,000. The Government had offered a salary of between €106,000 and €127,000 for the job, but a selected individual declined the role for personal reasons.