The impact of a ransomware cyber attack on a breast cancer center.

Abstract

e13620 Background: On the 14th of May 2021 the Irish Health Service Executive (HSE) was the victim of a “Conti” ransomware attack. The HSE is a nationwide organization providing Ireland’s public health service, consisting of approximately 4000 locations and more than 70,000 connected devices. The study aim is to quantify the impact of the cyber attack by examining the effect on the Breast Cancer services at Cork University Hospital 1 of 8 national cancer centres & 1 of 54 HSE acute hospitals. Methods: New patient referrals through the weekly Breast cancer MDT meeting were used as the study nidus. Patient referrals & key performance indexes for a period of 4 weeks prior, during & after the attack were examined. Time was the key metric examined. Results: The attack triggered a Critical Incident Protocol, resulting in the switching off of all HSE IT systems at national level. Disruption to patient care & operations within the HSE was immediate & without warning. Initially encrypted messaging groups were established to facilitate communication & paper based tracking & data management logs were created. Diagnostics, scheduling & radiotherapy services were most severely affected. The attack resulted in the immediate shut down of the hospitals radiotherapy department with all new treatments transferred off site to a private facility, ongoing treatments delayed, replanned or rescheduled. The effect on the radiology department was catastrophic, all outpatient & non-urgent scans were cancelled. Digital report & image stores were unavailable. Historic imaging & ongoing emergency imaging was unavailable. Taking 7 months to restore impacted data storage & to ensure accurate capture of all reports for examinations during the cyber downtime. The average time from surgery to completed pathology went from 7.04 to 15.03 & 11.8 days in the 4 weeks prior, during & after the attack respectively. Services that were least impacted during the IT outage were those that relied on paper records including chemotherapy administration. The average time from biopsy report to up front surgery decreased from 21.75 to 17 & 14 days in the 4 weeks prior, during & after the attack respectively. Likely due to the increased availability of theatre time, as all non cancer related elective procedures were cancelled. There was little effect on the time from MDT discussion to review by medical oncology, taking an average of 6, 5.7 & 5.8 days in the 4 weeks prior, during & after the attack respectively. The majority of new referrals to the service being seen off site in a satellite clinic & infusion unit that relied on a paper based booking system prior to the attack. Conclusions: The cyber attack had significant disruptive effects lasting months. The impact on patient outcome due to delayed or interrupted treatment will take years to clarify. The attack was facilitated by the presence of multiple, fragmented IT platforms & demonstrated a lack of preparedness in the system which needs to be addressed to prevent recurrence.