Cyber attack: When will the Irish health service get a resolution?

  • Published
A hackerImage source, Getty Images

It is now more than a week since the Republic of Ireland's health service became the victim of a ransomware cyberattack and there is no sign of a resolution any time soon.

Government ministers have consistently repeated that no ransom will be paid to the hackers for the return of patients' information despite some such details appearing on the dark web.

Many computers were shut down to allow specialists to track down the malware.

It means many hospitals have returned to pen and paper usage to keep records.

But that is causing problems for many doctors, consultants and dentists who cannot access previous scans stored on computers for comparison to see whether a patient may have deteriorated.

It is, obviously, a worrying time for many patients too - especially those who have cancer and other serious ailments.

Not surprisingly, several patients have called radio phone-in programmes to say a ransom should be paid to allow normal service to resume.

But that is very much a minority view among the general public, even though some IT specialists privately suspect money may have to be paid eventually.

Routine non-emergency operations, including colonoscopies, have been cancelled in many hospitals.

That will add to waiting lists and missed diagnoses and will increase patients' worries.

One maternity hospital cancelled outpatient visits, unless women were 36 weeks pregnant or later.

Overwhelmingly people support the Irish government's stance in refusing to pay a ransom to the hackers, who are believed to be based in St Petersburg in Russia.

Image source, Getty Images
Image caption,
Ireland's Department of Health and the Health Service Executive were both targeted by hackers

But the cyber attack has also highlighted the vulnerability of the Ireland's health service because of its continued use of an outdated Windows system.

IT experts have said the attack was an accident waiting to happen because of a failure to invest sufficiently in cyber security.

Others suggest that the Health Service Executive (HSE), the official name for the Republic of Ireland's health service, could face up to €1m (£860,700) in fines for inadequate data protection under General Data Protection Regulation (GDPR) rules.

'Tens of millions'

It is too early to say whether any patient whose private details end up published on the internet will sue the health service for negligence and a breach of privacy.

In the meantime, the HSE has secured a High Court order preventing hackers - or any individual or business - from sharing, processing, or selling the information.

The court injunction also applies to social media platforms such as Twitter, Google and Facebook, and therefore limits the gang's scope for disseminating the information.

The head of the HSE, Paul Reid, has estimated it will cost "tens of millions" of euros to get its systems back up and running.

The government is also setting up a helpline for those who are approached and told their health details are going to be published online.

The underfunding of the HSE IT security system is going to come with a heavy price and now the worry is that other public services may also be vulnerable to similar ransomware cyber attacks.