Ransomware attacks and digitising health and patient data

 

Sir, – Naomi O’Leary points out that having a strong digital infrastructure in the health service is the secret weapon in dealing with the pandemic (“Europe’s vaccination no-shows: the likeliest explanation”, World, April 8th). It must be a secret because nobody told us.

In Estonia, 99 per cent of health data is digitised in a centralised national database which allowed the course of disease outbreaks to be tracked long before the current pandemic.

Naomi O’Leary writes that Ireland is on the other end of the scale with patient records siloed across different services and an archaic reliance on paper throughout the system This, she tells us, shocks healthcare workers who have worked abroad.

It must also have come as a shock – and as something of a disappointment – to the hackers. – Yours, etc,

PAT O’BRIEN,

Rathmines,

Dublin 6.

Sir, – While much comment and discussion has taken place regarding the consequences of the ransomware attack on the records held by the HSE and Department of Health, what worries me is that few if any have asked the question: could this have been prevented?

Equally worrying is the possibility that other Government departments may be open to similar attacks, such as the Department of Social Affairs, which holds much sensitive information on many clients.

People will need reassurance that the very sensitive information held by many Government departments and agencies is really as secure as we have been led to believe. – Yours, etc,

MP MONAGHAN,

Foxrock,

Dublin 18.

A chara, – My colleagues and I are aghast at the ransomware attack on the HSE. However, our IT systems being in flux could also present a golden opportunity to catalyse digital transformation. Our health system’s patchwork quilt of IT systems, which have previously served as a barrier to harmonised digitisation, is now significantly disrupted. Perhaps in our response to this cyberattack we could look to the Sendai Framework for Disaster Risk Reduction, and “Build Back Better”.

The strategy for this has already been developed through Sláintecare’s Strategic Action 10, which centres around e-health and implementing a national acute electronic health record.

The technology is well-tested in an Irish context and internationally. I have seen the success of the electronic patient record at St James’s Hospital, where it has transformed patient care since it was introduced in 2018. Integrating individual health identifiers will further enable seamless movement of patients within the system and avert duplication.

Clearly a major investment in world-class cybersecurity operations must underpin this. A shrewd IT purchasing strategy is also crucial.

The choice is clear: we restore an archaic IT system, or we reimagine an intelligent one.

The latter will be key to greater efficiency and safer patient care into the future.

In the meantime, we continue to deliver patient-centred care, with staff at every level rising to the challenge and doing their utmost to mitigate risk in the wake of yet another virus. – Is mise,

Dr EIMEAR DUFF,

Dunmore East,

Co Waterford.

Sir, – Computer hackers exploit “vulnerabilities” in code and programmers go to great lengths to eliminate such weaknesses from their systems. Some may slip through but, when recognised, they can be “patched”, as happens regularly in software updates. However, it is virtually impossible to defend against an attack that exploits a so-called “zero day” weakness – one that has not been seen before.

Cyber-attackers can encrypt data, thus rendering it inaccessible to the owner, and demand a ransom for it to be decrypted. If owners have not taken the preventive measure of storing secure back-ups, they have no option but to lose data or pay the ransom. Even when such backups are available, it may take a substantial time to restore systems, with consequent disruption to business or the public services.

However, to defend against the other lever that hackers use – that they will publish the data online – the owner of the data has a solution available; namely, to store the data in encrypted form in the first place. The successful attackers can still encrypt the data a second time, with the same consequence for the owner, but they will not have access to the raw data and cannot therefore threaten to put confidential information online.

Although straightforward in principle, this solution requires a significant effort at considerable cost to implement for large complex systems. Nonetheless, the attack on the HSE is a wake-up call to public and private organisations to store their data in encrypted form or remain exposed to the publication of confidential information. – Yours, etc,

PATRICK FITZPATRICK,

Bishopstown,

Cork.