It's now just over a week since the HSE was hit by the devastating cyber attack on its computer and information systems.
Having to contend with a Covid-19 pandemic which puts patients’ lives at risk, and another human-made virus, which also potentially is putting lives in danger, is a horrible convergence of crises.
All this has happened after the HSE Audit Risk Committee warned in March this year about the changing risk of cyber attacks. In fact, most of the completed audit reviews of Information Communications Technology (ICT) governance and programme management had an unsatisfactory finding.
There was also concern at board level towards the end of last year about upgrading from the operating system Windows 7 to Windows 10.
The dramatic development on Thursday, when Irish authorities got the decryption code to unlock the data was big news, but it has by no means solved everything. While progress is reported in getting some systems back, there are delays in other areas like radiation oncology. The HSE experts also have to be sure that any decryption key helps and does no further harm. Using a decryption key is a complex process.
The day before the attack on the HSE, there was an attack on the Department of Health, but apparently its systems were not compromised. The Department did not tell the HSE it was or had been attacked but reported the matter to the Garda National Cyber Crime Bureau.
The HSE has said the cyber attack had caused enormous risk and described it as a major disaster. It had almost paralysed some hospitals and resulted in many services being cancelled.
Now there remains a danger that private patient information will enter the public domain. However, it is hard to see any reputable news organisation in Ireland publishing such data, or the names of patients linked to stolen health files. That would be unprecedented and also be seen as making use of private patient data, or HSE services data, that had been secured through criminal means.
But that might not stop some data appearing on social media, especially through anonymous accounts. However, there is also the High Court order granted to the HSE on Thursday, against the illegal use of data that may have been stolen during the ransomware attack. That should offer some added layer of protection and comfort for patients, the HSE and the Government.
Ireland is in unprecedented times, both with Covid-19 and the cyber attack, so it’s hard to be certain where things will go from here. The pace of developments can be breathtaking.
The point was made by Dr Vida Hamilton, the HSE's Clinical Advisor for acute operations, that there are real problems when patients arrive at emergency departments, the doctors know nothing about the individual, there are no charts, no record number.
Without the electronic barcodes, if a patient is transferred up to a ward, it may be difficult to find out where they are when delayed blood tests come back.
It is a nightmare scenario and hospitals in other countries that have been hit by other cyber crime attacks have taken months to recover.
The big question that arises is – could it have been averted? Was the HSE a sitting duck? An easy target? We have done well to fight back the Covid-19 threat, but might the cyber attack have been prevented or even minimised?
Probably only an independent review could establish that and identify measures to make the HSE network safer from such threats. The Data Protection Commissioner will also have a view on what happened in relation to GDPR. Some people may also sue if their patient information was leaked.
Lack of IT funding in the health service was identified by two former senior HSE people as contributory factors. Former HSE Director General, Tony O'Brien, said that the overall spend on ICT in the HSE was about a quarter of what is spent by comparable health services in other countries.
Also, Richard Corbridge, the former head of information systems at the HSE, praised the IT team in the health service as an amazing one, but added that what the state was seeing to some degree were the consequences of under investment in this area.
Defending the organsiation, head of the HSE, Paul Reid, argued there had been significant investment in IT. He put the figure at about €500m in the last three years. Whatever the reality, if any good comes out of this unprecedented attack, the HSE IT system will be getting big-time attention now. However, what was the state of readiness to such attacks up to now?
On 12 March 2021 HSE Audit Risk Committee minutes, there is a notable reference to ICT governance and programme management. It said that the situation is improving but that "five out of the eight completed audits in 2020 had an unsatisfactory opinion".
The next line is significant: "In response to questions regarding rapid ICT deployments and changing risk profiles the Deloitte representatives confirmed that yes, the risks over the last year have changed, with a rise in focus on cyber risks."
As a result, specific reviews were planned for this year and there was to be a briefing session for the audit risk committee to provide a general overview of the current HSE technology landscape and changing risk profile.
And at a HSE Board meeting, in November last year, questions were raised about the ability of the existing cyber security system to cope. Board members questioned variation in software platforms across the organisation. It was told there was a "challenge with transitioning devices from Windows 7 to Windows 10 software, especially during Covid-19". The Board was warned that it would be a challenge that would require additional security.
Stephen McMahon of the Irish Patients Association has reviewed the Board minutes and the Audit Risk Committee minutes. His view is that cyber security bleeped on the HSE Board’s radar, however, it appeared that the important briefing for the Board in November 2020 looked like it was regarded as an informative overview.
Mr McMahon said that despite the concerns raised by the Chief Information Officer, no clear other follow-up actions or monitoring is documented in the minutes of that November agenda item.
Of course it is not all about IT investment. Experience around the world is that there can also be human resistance to IT improvements too. That is because good IT shows real-time performance of people and targets.
We have been here before, in relation to outdated computer systems and the HSE. It emerged only late last year that the infectious disease computer gathering system in the Health Protection Surveillance Centre was close to 20-years-old.
It could not cope with the input of data from Covid-19 positive cases in December and a backlog of reporting built up. A review report, before the pandemic hit in March 2020, had advised that more investment was needed to update public health computer systems.
The consequences of under investment have been seen in dealing with the Covid-19 crisis too. Because of the cyber attack, last week there was no detailed update on the vaccination roll-out, limited Covid-19 case details and hospital activity and delayed updates to regular reports posted on the Health Protection Surveillance Centre website.
But thankfully the vaccination programme has continued this past week, and was not hit by the cyber attack. We saw registration for people aged 45 to 49 years open. This group will get an mRNA vaccine, Pfizer or Moderna.
The HSE is still looking at the operational implications for the strict restrictions on using the Johnson & Johnson single dose and the AstraZeneca vaccine for the 40-49 year age group. Meanwhile, the situation for people in Group 7 – those at high risk from Covid-19 due to underlying conditions - remains a bit complex, if not confusing.
These people in Group 7 are aged 16-59. They are supposed to be vaccinated by their hospital, or by their GP. However, some GPs are not participating in this part of the vaccination. I have received some communications from people in Group 7 who feel left out and have not heard about any appointment. Some feel they are falling between the two stools of hospitals and GPs.
Group 7 is also a sizable body of people estimated at 350,000. Some of this group will have been vaccinated in other groups for a variety of reasons. But given that the last HSE official figures showed just under 3,000 patients in Group 7 had been given a dose of vaccine, there must be a large number still waiting.
During the week, the HSE was still putting in place a system to allow GPs electronically refer patients in this group to the HSE to be scheduled for vaccination at centres, if the GP was not participating in this work.
The other option for those at high-risk, who are aged 45-49, is that they can register now on the HSE portal, or by phone, if they have not got an appointment already from their hospital or health team. But it still leaves quite a number of people wondering when they will be vaccinated, as they see people in other age groups being immunised.
As vaccination continues, the Health Products Regulatory Authority published its latest update on reports of suspected side effects from Covid-19 vaccines. These reports come from healthcare professionals and members of the public. As more and more vaccines are administered, the number of side-effects reported is expected to grow.
The latest figures show that up to mid-May, there were 7,862 reports of suspected side effects with Covid-19 vaccines. That was after 1.4 million first doses and 514,800 second doses administered.
The breakdown of suspected side effects was over 3,700 with an mRNA vaccine, Pfizer or Moderna and over 4,000 with AstraZeneca. The most common side effects were chills, fever, tiredness, dizziness, headaches, muscle pain and nausea.
A total of 56 reports have been received describing an individual who was known to have been vaccinated and died. Of these 50 were reported with an mRNA vaccine.
The HPRA says it can be expected that fatalities due to progression of underlying disease or natural causes will continue to occur, including following vaccination. But this does not mean that the vaccine caused the deaths. All these cases are carefully investigated.
There have been 41 reports of blood clot events associated with vaccination. Less than five cases have involved the very rare blood clot events plus low platelets. These were all in people under 40 years. The symptoms were seen 1-2 weeks after receiving the first dose. The individuals were discharged from hospital after receiving specialist care.
The next suspected side effects report from the HPRA will be published in mid-June. Across Europe also, there is monitoring of side effects.
And so the summer is coming, although the weather this week was more winter than summer-like - stormy, like the turbulent times we have been through.
Indeed, we have been under attack in so many ways for the past 14 months or so. Mostly it has been the virus and this week a computer attack.
It’s crazy how fast things can change, with so little time to face the changes. Let’s hope at the end of all this, we will all be stronger for it.
Better prepared for whatever comes next.