The Irish National Orthopaedic Register Under Cyberattack: What Happened, and What Were the Consequences?

Abstract

On May 14, 2021, a criminal cyberattack was launched against the Irish public healthcare system, the Health Service Executive, resulting in a complete shutdown of all national healthcare computer systems, including the Irish National Orthopaedic Register (INOR). Cyberattacks of this kind occur sporadically, and postevent analyses can inform future preparedness efforts, but few such analyses have been published. What was the impact of the cyberattack in terms of (1) registry downtime, (2) harms to patients, and (3) costs to the INOR for data contingency and reconciliation? All nine hospitals using the INOR were included for data collection. Since establishment in 2014, the INOR has been rolled out to all eight public elective hospitals, capturing all hip and knee arthroplasty procedures. One private hospital was also captured, with plans to expand the private sector coverage. Individual institutional records and central INOR records were queried with respect to downtime, potential harms to patients (including intraoperative complications because of a lack of data on existing implanted components and complications directly attributed to delayed or canceled procedures), and costs related to additional person-hours addressing data reconciliation. Objective data directly related to the uncontrolled INOR downtime were collected, including duration of downtime, contingency methods employed, quality of contingency data collected, adverse patient events, methods of data salvage and reconciliation, and the cost of data contingency and reconciliation measures. Costs were estimated by the additional person-hours of work completed, multiplied by the hourly rate of that employee. Employees at each of the nine hospitals were asked to provide their additional person-hours of work performed because of the attack. These hours were corroborated by observing the time taken at each unit to reconcile data for single cases multiplied by the number of cases at that unit. Employees included nurses, clinical nurse specialists, and doctors of various grades. Person-hour rates were calculated using the Health Service Executive's published salary scales. The INOR suffered a median downtime of 134 days (range 119 to 272 days) across nine sites. No serious adverse patient events were identified. The immediate implementation of a paperwork fallback method for the INOR successfully resulted in 100% case capture during the downtime. However, 2850 additional person-hours were required for data reconciliation at an estimated cost of USD 181,000 to USD 216,000. More subjectively, as reported by interviews with INOR leads at each hospital, the cyberattack negatively impacted operating room efficiency with delays between procedures because of additional paperwork data collection, disrupted patient flow for paperwork data collection on the ward level and in the outpatient clinics, and disrupted resource allocations and staff capabilities because of additional paperwork requirements during the contingency period. Disruptions to data collection and data accessibility after this cyberattack were successfully countered by a contingency plan; however, substantial financial costs and additional resources were required for data conservation and reconciliation. In addition to robust preventative security measures, national registers and other healthcare systems should have secondary data backup facilities and reliable fallback procedures prepared for such events.