“It’s cracking, the whole thing.”
The words were delivered quickly, but in a thoughtful and measured way. As if the person saying them was used to delivering difficult news. Little surprise, given they belonged to a doctor. But this doctor wasn’t describing a medical condition—this was their assessment of the situation on the ground in the hospital where they’re working today, in Ireland.
Since May 14, Ireland’s Health Service Executive (HSE) has been paralysed by a cyberattack. In the very early hours of Friday morning, a criminal gang activated Conti ransomware inside HSE’s computer systems, sparking a devastating shutdown.
Government officials were quick to reassure people that emergency services remained open and the country’s vaccine program was unaffected. The story echoed around the world, and then, outside of Ireland at least, the news moved on. Just as it had moved on from the Colonial Pipeline attack that preceded HSE, and the attack on AXA insurance that followed it.
But the HSE attack isn’t over.
Daniel (not his real name) sat with Malwarebytes Labs on condition of anonymity, to explain how this cyberattack is continuing to affect the lives of vulnerable patients, and the people trying to treat them. Throughout our interview he speaks quickly, but with control and understatement. He has the eyes and slightly exaggerated movements of somebody substituting adrenaline for sleep.
A 21st century health system runs on computers, but the computers in Daniel’s hospital have notes on them saying they cannot be used, and should not be restarted. While those computers are dormant, simple things become difficult; everything takes longer; complex surgeries have to be cancelled.
Daniel told us that before the attack he would go through a system linked to HSE for each of his appointments, looking for GP referrals by email, checking blood results, accessing scans, reading notes linked to each patient. That is gone now.
“Before surgery I review [each patient’s] scans. Or even during the surgery. Legally I have to look at the scans.”
“I can’t even check my hospital mail. Our communication with everyone has been affected… They can’t ring me. The whole thing is just breaking apart.” The GDPR, which is designed to protect patients’ data, prevents him from using his personal email or other messaging systems for hospital business. A generation of staff raised on computers are back to pen and paper. “You don’t know who’s looking for who, who wants to see who.”
I ask him how he first learned about the attack and he tells me about coming to work on Friday totally unprepared for what he’d encounter. The only nurse he sees asks “did you hear?”. He had not. The systems he relies on to stay informed aren’t working. “I didn’t get a heads up. All computers are not allowed to be touched. Do not restart.”
He describes how uncertainty hung over them, until at midday he let a patient who had been waiting for surgery since 7 am know that the day is cancelled. “She’s been fasting. With her stress up I had to tell her to go home.”
The staff are in the dark. “We were optimistic it would get done over the weekend. We thought it might get done the same day. Then we thought maybe Monday.” It has been this way since Friday and he is not optimistic that it will be sorted any time soon. “There is no official timeline but we’re thinking it will take at least a week or so. We are not optimistic about it.”
As he says this to me all I can think about is a statistic from the recent Ransomware Task Force report. According to the report, the average downtime after a ransomware attack is 21 days. The time to fully recover is over nine months. I can’t bring myself to mention it.
I ask him about the impact on patients.
“I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”
“I’m dealing with patients lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”
But not harming people requires access to information he no longer has. Delays can be life threatening. “If I reschedule a patient and they come back a few weeks or a few months later with a tumour that I couldn’t asses from the paperwork…”, he stops there. He doesn’t need to finish the thought. Those that don’t get worse while they’re delayed are still suffering too. They will stay that way until they can be seen.
And it’s obvious from my conversation with Daniel that it isn’t only the patients who are being put at risk. There are grinding, corrosive effects on the hospital staff too. Everything takes longer, which requires more work, and nobody knows when it will be over.
It is a wicked burden for a medical profession that has spent the last year grappling with a once-in-a-century pandemic. “Our backlog just became tremendous”, Daniel says, before explaining that over the last few months he and his colleagues have performed surgeries at nighttime and weekends to work through the backlog of operations and appointments delayed by the response to COVID.
And now there is another reason to work late.
Because of the ransomware attack, he must put in hours of extra effort after his day’s work is done just to determine which of tomorrow’s appointments he will have to cancel for lack of information. And then he must deal with those anguished, sometimes angry patients, telling them their appointment cannot go ahead.
“Imagine the scenario,” he says. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” Daniel’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”
And hanging over all these interactions is the spectre of litigation. Whichever way he turns, his decisions have consequences and his decision making process is in tatters.
I ask him if he thinks they should pay the ransom (the Irish Taoiseach does not.) I am expecting rage and anger. A defiant “no”. I am projecting. His first thought is for the health of the people being denied care.
“I think they will pay the ransom. I don’t think there is another way around it. The pressure will build up, they will have to do what has to be done. This can’t go on. This is disastrous.” If it was his decision, would he pay? “I would. There is no money you can pay to take somebody’s life away. I would make my system more robust so this doesn’t happen again.”
I ask him if there’s anything he’d say to his attackers if he could.
“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”
“I think they lost their humanity.”