System Resilience and Cyber Security are Essential Pillars of Clinical Safety

Healthcare increasingly relies on digital technology, the availability and security of patient data have become critical components of clinical safety. IT system failure and cyber-attacks pose significant risks to this data availability, potentially leading to severe consequences for patient care. This blog post explores the clinical safety impacts of data unavailability caused by such incidents. The key message is that data security, system resilience and cyber security are foundational elements of clinical safety. As the blogpost indicates, this is not a theoretical threat.

The Critical Role of Data in Healthcare

Access to accurate data at the point of care is essential

Healthcare providers depend on electronic health records (EHRs), imaging systems, and other digital tools to deliver timely and effective care. These systems store vital patient information, including medical histories, test results, treatment plans, and medication records. Effectively integrated systems operating within organisations support Clinicians in making informed decisions, coordinating care, and respond swiftly to patient needs.

Available, legible records enhance the safety of patient care within health services. Shared details (interoperability) then secure further safety gains. Sophisticated clinical decision support further enhances safety.

Where data is not available then the safety benefits are not available. Put simply care becomes substantially riskier for patients and places increased pressure on busy clinicians.

Implications of IT System Failures

Where systems fail, there are a number of patient, clinician and organisational consequences, these include:

Delayed Treatments: When IT systems fail, accessing crucial patient information becomes difficult or impossible. Healthcare provision is contingent upon these bein available. Under attack, they may resort to manual processes that are slower and more error prone.
Medication Errors: EHRs are instrumental in managing and tracking patient medications. If these records become inaccessible, the risk of medication errors increases significantly. Healthcare professionals may not have access to the most recent prescribing or drug administration information, leading to potential over- or under-dosing.
Diagnostic Delays: Imaging systems and lab results rely on digital management systems. IT failures can prevent the timely review of diagnostic tests, delaying diagnoses and subsequent treatment plans.
Operational Disruptions: Hospital operations, including scheduling, admissions, and discharges, rely heavily on IT systems. System failures can disrupt these processes, leading to inefficiencies and reduced capacity to care for patients.

Consequences of Cyber Attacks

Cyber-attacks, such as ransomware, can have even more profound impacts on data availability and clinical safety. These attacks typically involve malicious actors gaining unauthorized access to healthcare systems, encrypting data, and demanding a ransom for its release.

Data Breaches: Cyber-attacks often result in data breaches, stealing sensitive patient information. This not only compromises patient privacy but also undermines trust in the healthcare system and compromises the safety of care.
Extended Downtime: Cyber-attacks can cause prolonged downtime compared to conventional IT failures. Recovering from such incidents requires significant time and resources, during which patient care suffers severe impacts.
Compromised Care Coordination: Effective healthcare delivery relies on coordinated efforts among various departments and professionals. Cyber-attacks disrupt these communication channels, leading to fragmented care and increased risk of medical errors.
Financial Strain: The financial cost of cyber-attacks, including ransom payments, system restoration, and potential legal liabilities, can strain healthcare resources. This financial burden can divert funds away from patient care initiatives.

Loss of confidence

A secondary issue of failure of systems is that people lose confidence in the security of their data. They become understandably more reticent about sanctioning the sharing of their medical information. Even where this might secure compelling clinical safety benefits.

It is also an issue where clinicians lose confidence in technology solutions. The threat of “going back to paper” sends a chill through me. This maybe reassuringly familiar to senior clinicians and provide easy “data entry”. It is not acceptable as a safe system for patients. This is because we increase safety risks for patients through.

legibility issues.
retrieval issues and,
An absence of alerting and clinical decision support

Notable Examples of Incidents

Globally there have already been a significant number of cyber-attacks including providers in US (Medstar, UCLA Healthcare, and Anthem), Singapore and Germany (Dusseldorf University) and we have ongoing issues in the London system with Synnovis a significant provider of pathology and testing services. The following are more specific examples which have impacted hugely on systems. I have chosen these having lived through them!

Wannacry Attack (2017):

The WannaCry ransomware attack occurred worldwide in May 2017, targeting PCs running Windows. Attackers encrypted data and demanded a ransom, threatening to release information. Microsoft had prior knowledge of a potential attack 12 months earlier and had released a security patch for all Windows devices. Organizations that failed to install the patch, despite Microsoft’s recommendation, became targets. The WannaCry ransomware attack infected 200,000 PCs across 156 countries.

Hospital Services: Numerous hospitals and GP surgeries had to cancel appointments and redirect emergency patients due to the inability to access patient records.
Treatment Delays: Critical treatments, such as surgeries and chemotherapy sessions, were delayed, directly affecting patient care and safety.
Financial Costs: The NHS incurred significant expenses for system restoration and implementing improved cybersecurity measures to prevent future attacks.

The attack severely impacted healthcare systems globally, particularly affecting the UK’s National Health Service (NHS):

Even where healthcare providers did not suffer from the direct attack, their functions was impaired, for example by ambulance services protecting their data by closing access to their network, with the impacts including:

Ambulance handover process and screens disabled
Patient Transport Service booking portal not available.

Furthermore, specialist tertiary centres protected their data by closing access to their network, main impact being:

Hospitals could not transfer images to specialist centres
The transfer of information within clinical networks was disrupted

Leeds Laboratory Failure (2016)

In 2016, the Leeds Teaching Hospitals NHS Trust experienced a significant IT failure in its laboratory information management system:

Test Delays: The failure resulted in delays in processing and reporting diagnostic tests, affecting patient diagnoses and treatment plans. GP services were affected as they were asked to prioritise urgent blood requests and to delay routine blood tests, for example, to monitor patient therapy.
Operational Strain: The disruption led to an increased burden on clinical staff, who had to manage manual processes and mitigate the impact on patient care. It also placed a considerable response burden on technical staff and senior leaders within the organisation.
Patient Safety Risks: The delays and operational challenges posed direct risks to patient safety, particularly for those requiring timely diagnostic results for critical conditions.
Treatment Delays: The lack of blood results and uncertainty about blood cross matching led to the cancellation of elective operations across both Leeds and Bradford

HSE Ireland Ransomware Attack (2021):

In May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware attack, leading to extensive system outages:

Service Disruption: Hospital services, including outpatient appointments, diagnostic tests, and surgeries, were disrupted or postponed.
Patient Care Impact: The attack severely impacted the ability of healthcare providers to access patient records, leading to delays in care and increasing the risk of medical errors. Patients were potentially turning up for scheduled appointments to organisations that could not access their schedule or the reason for attendance
Financial and Recovery Efforts: The financial cost of the attack was substantial, encompassing ransom demands, system restoration, and long-term improvements in cybersecurity infrastructure.

Mitigating the Risks- A Prescription for Safety

Healthcare organizations must adopt comprehensive strategies to mitigate the risks associated with IT system failures and cyber attacks:

Robust Cybersecurity Measures: Implementing strong cybersecurity protocols, including firewalls, encryption, and regular security audits, can help prevent cyber attacks and minimize their impact. This should involve very careful consideration with respect to the use of large cloud providers whose security measures are state of the art and who can ensure that appropriate security patches can be applied in a timely fashion. The days of “on premises” data storage and system maintenance must be numbered.
Hosting arrangements must be supported with appropriate assurance and credentials. ISO standards are a good starting point for this.
Regular Backups: Ensure and maintain regular, secure backups of all critical data ensures that information can be restored quickly in the event of a system failure or cyber-attack.
Disaster Recovery Plans: Developing and regularly updating disaster recovery and business continuity plans can help organizations respond effectively to data unavailability incidents. This should include, however unpopular, running periodic business continuity exercises.
Staff Training: Educating healthcare staff on cybersecurity best practices and the importance of data security can reduce the risk of human error contributing to data breaches or IT failures.
System Architecture: Implementing redundant systems and network architectures can provide alternative pathways for accessing critical data, ensuring that patient care can continue uninterrupted during technical issues.
Lessons Learned: Health services need to ensure the lessons are learned from organisations and systems that have been affected. The response to cyber-attacks often has clandestine elements to avoid alerting hostile actors about vulnerabilities. Despite this, we need to ensure that lessons are learned.
Partnership: Fundamental to successful working is the establishment of effective partnerships between system providers, clinical, clinical safety and technical functions with the reciprocal functions within their customers

Conclusion

The availability of patient data is a cornerstone of modern healthcare. IT system failures and cyber-attacks pose significant threats to this availability, with serious implications for clinical safety. By understanding these risks and implementing robust preventive measures, healthcare organizations can protect patient data, ensure continuous care delivery, and maintain the trust and safety of their patients.