Affiliation:
1. Royal College of Surgeons in Ireland, Dublin, Ireland
2. National Office of Clinical Audit, Dublin, Ireland
Abstract
Abstract
Background
On May 14, 2021, a criminal cyberattack was launched against the Irish public healthcare system, the Health Service Executive, resulting in a complete shutdown of all national healthcare computer systems, including the Irish National Orthopaedic Register (INOR). Cyberattacks of this kind occur sporadically, and postevent analyses can inform future preparedness efforts, but few such analyses have been published.
Question/purpose
What was the impact of the cyberattack in terms of (1) registry downtime, (2) harms to patients, and (3) costs to the INOR for data contingency and reconciliation?
Methods
All nine hospitals using the INOR were included for data collection. Since establishment in 2014, the INOR has been rolled out to all eight public elective hospitals, capturing all hip and knee arthroplasty procedures. One private hospital was also captured, with plans to expand the private sector coverage. Individual institutional records and central INOR records were queried with respect to downtime, potential harms to patients (including intraoperative complications because of a lack of data on existing implanted components and complications directly attributed to delayed or canceled procedures), and costs related to additional person-hours addressing data reconciliation. Objective data directly related to the uncontrolled INOR downtime were collected, including duration of downtime, contingency methods employed, quality of contingency data collected, adverse patient events, methods of data salvage and reconciliation, and the cost of data contingency and reconciliation measures. Costs were estimated by the additional person-hours of work completed, multiplied by the hourly rate of that employee. Employees at each of the nine hospitals were asked to provide their additional person-hours of work performed because of the attack. These hours were corroborated by observing the time taken at each unit to reconcile data for single cases multiplied by the number of cases at that unit. Employees included nurses, clinical nurse specialists, and doctors of various grades. Person-hour rates were calculated using the Health Service Executive’s published salary scales.
Results
The INOR suffered a median downtime of 134 days (range 119 to 272 days) across nine sites. No serious adverse patient events were identified. The immediate implementation of a paperwork fallback method for the INOR successfully resulted in 100% case capture during the downtime. However, 2850 additional person-hours were required for data reconciliation at an estimated cost of USD 181,000 to USD 216,000. More subjectively, as reported by interviews with INOR leads at each hospital, the cyberattack negatively impacted operating room efficiency with delays between procedures because of additional paperwork data collection, disrupted patient flow for paperwork data collection on the ward level and in the outpatient clinics, and disrupted resource allocations and staff capabilities because of additional paperwork requirements during the contingency period.
Conclusion
Disruptions to data collection and data accessibility after this cyberattack were successfully countered by a contingency plan; however, substantial financial costs and additional resources were required for data conservation and reconciliation.
Clinical Relevance
In addition to robust preventative security measures, national registers and other healthcare systems should have secondary data backup facilities and reliable fallback procedures prepared for such events.
Publisher
Ovid Technologies (Wolters Kluwer Health)
Subject
Orthopedics and Sports Medicine,General Medicine,Surgery
Reference8 articles.
1. Cyberattack: HSE faces final bill of at least € 100m;Cullen;The Irish Times
2. Health care cybersecurity challenges and solutions under the climate of COVID-19: scoping review;He;J Med Internet Res,2021
3. Cybersecurity in hospitals: a systematic, organizational perspective;Jalali;J Med Internet Res,2018
4. Ireland: a brief overview of the implementation of the GDPR;McLaughlin;Eur Data Prot L Rev,2018
5. Where bits and bytes meet flesh and blood: hospital responses to malware attacks;Millard;Ann Emerg Med,2017
Cited by
4 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献