Bulletin / Cyber Attacks on...

Cyber Attacks on Hospitals - What are the Impacts? (Part 2)

Author: Charlie Maclean-Bristol, Training Director, FBCI, FEPS

This is part 2 of last week's bulletin, discussing the dire impacts of a cyber attack on healthcare services.

Communications

Communications are incredibly important in a healthcare setting, especially as they are looking after many patients. Any incident, changes, or location swap affecting the patients must be rapidly communicated to the patient's loved ones or next of kin. If there is a loss of communication after a cyber attack this can be very difficult to achieve, even if there is a means of calling, such as the use of a mobile phone. There is the slight issue that all the patients’ details are held on a computer, making it difficult to get ahold of their next of kin. The patient’s next of kin may be very concerned if they try to call the hospital and they can’t get through or they are informed that this is due to a cyber attack. Perhaps hospitals should keep hard copies of the next of kin as a minimum precaution. It would be highly embarrassing if a patient died in the hospital and there were no records available to contact their next of kin or family.

Where patients have had their personal medical records accessed by hackers and when there is the possibility of them being made available to the public, for example what happened with the HSE in Ireland, the Gold Team in the hospital should think through how they will inform their patients and whether there are any mitigation measures they can put in place, or any advice they can give to those whose details have been breached.

Communications are also vital for the discharge of patients and for moving them out of a hospital bed, often into the care of social services. This all requires communication by phone or an IT system. The more you read about the Advanced cyber attack the more you can see the impact of a cyber attack on the delivery of services that communications are vital for. The attack impacted patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services, and emergency prescriptions.

The hospital’s website can be used to give families, patients, partners, and suppliers information about a cyber incident. Hospitals should try and have their websites or elements of the website stand alone so they are not affected by a cyber incident, and can be updated at short notice.

Internal communications keep staff informed of what is happening, impacts, new ways of working, and any changes to the roster. Staff may also have their personal data accessed, therefore hospital management needs to think through what information they would give to them, and whether they should provide services such as credit monitoring.

Hospitals as a Business

Hospitals are large businesses in their own right, having payroll responsibilities, procurement requirements and the need to pay suppliers. All of this action could be brought to a standstill by a cyber attack. The organisation could lose access to all their personnel records so they may not know who their staff are, nevermind be able to pay them. If suppliers are not paid, they may withdraw their service and hospitals may be unable to pay for replenishment drugs and medical equipment. These back office functions may be covered by the organisation's business continuity plans, but often finance departments just can’t function without access to systems. Their whole operation could very quickly grind to a halt.

As hospitals are open 24/7, the staff rota is very important and usually, staff allocation is carried out and held electronically. A cyber attack leaves the provision of staff in the dark so the hospital managers may not know if sufficient staff are going to turn up for the next shift.

Hospitals need a manual process as they rely on information from IT systems to carry out their work. Although it is possible for a short time to work manually, the paper soon mounts up and all tasks take even longer, therefore staff have to work more hours to continue the same level of care as before. Communication is key in keeping in touch with the patient’s next of kin, suppliers and service providers, but if the information is inaccessible, the hospital's ability to function effectively may be severely reduced. Hospitals are also reliant on back office functions to keep the business running and can also be severely impacted by a cyber incident. The Advanced cyber attack is perhaps another wake-up call to hospitals that they have to be prepared to respond to a cyber attack.

You might be interested in the following stories

Cyber Attacks on Hospitals - What are the Impacts?

CYBERUK 2022 – What Did We Learn?

Looking After Your People During a Cyber Incident

You may be interested in the following course

BCT Certificate in Cyber Incident Management (NCSC Certified Training) course

Sign-up to our newsletter

We value your privacy

We use cookies to enhance your browsing experience, serve personalised ads and understand how our website is used. By clicking "Accept All", you consent to our use of cookies. Our cookie policy