Medic reveals the human cost of the Irish ransomware attack

IT systems 'crippled' and patients' lives at risk, according to doctor serving on the frontline of Ireland's health service

The Irish healthcare system has been severely impacted by a cyber attack

“It’s cracking, the whole thing.”

This is the harsh reality from the frontline of Ireland’s healthcare system following a devastating ransomwear attack 11 days ago.

The impact of the attack, in which a criminal gang activated Conti ransomware inside the Health Service Executive’s IT systems, sparked a widescale shutdown.

But, while Government officials were quick to reassure people that emergency services and the country’s vaccine programme would remain operational; hospitals are reporting ongoing issues as the HSE admits it may ‘take a number of weeks’ to fully restore systems.

And this has heaped more pressure on already-exhausted frontline staff, as well as potentially putting patient lives at risk.

Impacting lives

Hospital medic, Daniel (not his real name), this week spoke to cyber security specialist, Malwarebytes Labs, and, on condition of anonymity, revealed the attack it continuing to impact the lives of vulnerable patients.

With computers dormant, simple things have become difficult, he said; and complex surgeries have to be cancelled.

There is no official timeline, but we’re thinking it will take at least a week or so. We are not optimistic about it

Before the attack he would go through a system linked to HSE for each of his appointments, looking for GP referrals by email, checking blood results, accessing scans, and reading notes linked to each patient.

But that information has now gone.

“Before surgery I review [each patient’s] scans, or even during the surgery. Legally I have to look at the scans”, he told Malwarebytes Labs.

“But I can’t even check my hospital mail.

“Our communication with everyone has been affected… They can’t ring me.

“The whole thing is just breaking apart.”

And the GDPR, which is designed to protect patient data, prevents him from using his personal email or other messaging systems for hospital business.

Pen and paper

A generation of staff raised on computers are now suddenly back to using pen and paper.

“You don’t know who’s looking for who, or who wants to see who,” says Daniel.

He said he first learned about the attack when he arrived at work.

“I didn’t get a heads up,” he adds.

“All computers were not allowed to be touched.”

And he describes how uncertainty hung over them, until at midday he let a patient who had been waiting for surgery since 7am know that the day was cancelled.

“She’d been fasting and, with her stress up, I had to tell her to go home,” he reveals.

“We were optimistic it would get fixed over the weekend,” Daniel adds.

“We thought it might get done the same day. Then we thought maybe Monday.

You either do it right, or you do it wrong, and if you do it wrong, you’re harming somebody

“There is no official timeline, but we’re thinking it will take at least a week or so. We are not optimistic about it.”

A recent Ransomware Task Force report reveals the average downtime after a ransomware attack is 21 days.

And the time to fully recover is over nine months.

Commenting on the impact this has on patients, Daniel reveals: “I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you had to take time off work, but, after all this I have to say sorry, I can’t see you.

“I’m dealing with patients’ lives here. It’s not something you can take lightly.

A growing backlog

“You either do it right, or you do it wrong, and if you do it wrong, you’re harming somebody.”

But not harming people requires access to information he no longer has.

“If I reschedule a patient and they come back a few weeks, or a few months, later with a tumour that I couldn’t assess from the paperwork…”,

And those whose conditions are stable are suffering too.

“Our backlog just became tremendous”, Daniel says, before explaining that over the last few months he and his colleagues have performed surgeries at night and through the weekends to work through the backlog of operations and appointments delayed by the response to COVID-19.

And now there is another reason to work late.

And he must also deal with anguished, sometimes-angry patients.

“Imagine the scenario,” he says.

The pressure will build up, and they will have to do what has to be done. This can’t go on. This is disastrous

“Patients will wait literally two years to see us.

“After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’.

“They know it’s not my fault, but they are upset and very annoyed.”

And hanging over all these interactions is the spectre of litigation.

Whichever way he turns, his decisions have consequences and his decision-making process is in tatters.

But what does he think of the statement by the Irish Taoiseach (Prime Minister) that the Government would not be forced into paying a ransom?

“I think they will pay the ransom,” he says. “I don’t think there is another way around it.

“The pressure will build up, and they will have to do what has to be done. This can’t go on. This is disastrous.”

If it was his decision, would he pay?

“I would. There is no money you can pay to take somebody’s life away. I would make my system more robust so this doesn’t happen again,” he said.

And, in a final message to the attackers, he said: “If your loved-one was sick, would you do this?

“If you had somebody you cared about, would you do this to them?

“That’s what I’d ask them.”

“I think they lost their humanity.”

Slow, steady progress is being made, but this restoration work must be done in a very safe way and we anticipate it will take a number of weeks

In an updated statement on Sunday, the HSE said a ‘structured and controlled deployment of the new decryption tool’ was continuing across the core network and its endpoint devices.

This work started on Saturday and will continue into this week.

It adds: “Progress continues to be made in some hospitals on restoring IT systems and some sites, at a local site level only, now have access to radiology, laboratories, and their patient administration systems.

“But this is uneven across the country and levels of disruption this week are expected to be similar to those of last week.

“Slow, steady progress is being made, but this restoration work must be done in a very safe way and we anticipate it will take a number of weeks.”

And the HSE said it had secured a High Court order preventing any individual or business from sharing, processing, or selling any information secured as a result of the attack.

“Our focus is on doing everything we can in relation to this and we are collaborating and working closely with the social media platforms,” said the statement.

It adds that security experts are concentrating on restoring priority systems such as radiology and diagnostic systems, maternity and infant care, patient administration systems, chemotherapy, and radiation oncology.

Click here to read the full interview on the Malwarebytes Lab website.

Companies