image of a lock with text that says lessons learned from st james hospital

Responding to a Ransomware Attack in Radiology

Reading Time: 8 minutes read

By Dr. Niall Sheehy, MB, MRCP, FFR RCSI, St James’s Hospital -Trinity College Dublin.

Imagine that your radiology department has no access to your PACS, your RIS, or even email. How would you create and distribute reports? How would you archive images? This is the distressing position our radiology department found itself in following a cyber-attack. Keep reading to learn how we responded to this ransomware attack in radiology – and to learn from our experience should it happen to you.

In May 2021, St James’s Hospital in Dublin was one of 54 public hospitals affected when the Health Service Executive (HSE) was the victim of a Cyber Attack by Conti, a sophisticated, financially-motivated criminal gang. It was the largest known attack against a health service computer system in history, occurring during the COVID -19 pandemic (1).

Image of a lock with text that says lessons learned at St James's hospital
Two of the new initiatives to help protect against future attacks are the creation of national cybersecurity policies and a cybersecurity office; and archiving backup solutions on scanners.

Our radiology department was one of the fortunate ones, we were without PACS “only” six days. Other Irish healthcare sites were without PACS for almost five weeks. Additionally, it took almost four months from the time of the attack until most systems and applications within the HSE were fully restored.

From phishing to encryption

The attack began with a phishing attempt. Phishing is a cybercrime in which scammers try to lure someone into giving up personal information or compromising your system by impersonating a trusted source. In our case, someone within the Irish public hospital system (HSE) opened an excel attachment to an email, launching a type of malware.  Before it was detected, the malware spread to multiple other systems within the network across multiple hospitals. On 14 May 2021, the Conti group activated the malware. Staff throughout HSE were greeted with this ominous message flashing on our computers: “All of your files are currently encrypted by CONTI ransomware. YOU SHOULD BE AWARE: If you try to ignore us. We’ve downloaded data and are ready to publish it on news website if you do not respond.”(sic)

At a moment’s notice, 80% of HSE’s IT environment was encrypted. The immediate response by IT was to shut down all network connections, thus limiting the spread of the malware. We had an almost complete loss of communication with external departments. Even our internet went down. Although the national PACS was not infected, it was disconnected from the network, effectively shutting it down. All our modalities were disconnected from their archive. We could not report on studies and clinicians could not see images or reports. There was severe service disruption and a negative impact on patients and on their care. In terms of scale, the decrease in radiology activity was similar to that of the first COVID lockdown.

Our response to the ransomware attack in radiology

Radiology reporting

All we had were functioning modalities. No PACS/RIS. No network. No access to email or shared files. Initially we viewed images directly from the modalities, a tedious and slow process. Some sites outside of our hospital were able to set up temporary networks with a mini PACS. Even after our local networks were restored, our home reporting solutions remained offline for months.

Order and report distribution

Diagram courtesy of Dr. Niall Sheehy, St James’s Hospital – Trinity College Dublin.

Thank goodness for our personal phones. We relied on them heavily to create and send reports via secure mail. Fortunately, we still had access to our cloud-based dictation system (T-Pro) that we could access with our smartphones. In some instances, we created our reports using paper and pen assisted by carbon paper to create duplicates. Sites that still had film printers relied on them to print and send radiographs to remote sites and to our emergency department.

An important note is that all the HSE’s communication systems, mainly email, were down. This greatly impeded communication with staff. This also meant that we could not use the email system as an alternative mechanism for report distribution.

Temporary archiving

As you can imagine, this was a significant issue as our modalities were disconnected from the PACS. Of course, our volume of scans was reduced significantly due to the impacts of the cyber-attack throughout the hospital. Nonetheless, the storage on the scanners rapidly filled. At our site, we made use of spare storage on an IR workstation. This got us through the 5-day period without access to our PACS. However, other sites quickly filled up their local stores and had to improvise in other ways.

Reconciliation after system restore

The work was far from done once our RIS/PACS were restored. We still faced the issue of linking the reports we had created using our temporary systems into the restored RIS/PACS. Every scan had to be matched to an order, every order to a report. In total, this process took some sites months to complete.

Additionally, the effect of HSE’s IT response to the attack- although necessary- was as significant as the impact of the attack itself. New end-point software that was installed on all workstations and servers was put in overnight and without testing. This resulted in multiple issues and impeded access for our department and all other radiology departments to PACS for several weeks until the appropriate exceptions could be worked out.

Like the COVID crisis, the response of all staff both in the department and our IT support (both in house and from vendors) was superb, with everyone working very hard to get the system back online.

Overall, the associated costs of the ransomware attack are estimated at over 100 million euros for HSE, and significant legal costs remain pending. Additionally, 113,000 patients and staff had their personal information stolen.

Securing the future

Of course, the HSE and our systems are much more secure today. Here are the key improvements that HSE made and are worth considering for your facility:

  • We have invested in a significant upgrade to the national PACS, giving it a much more secure architecture based around a private cloud. This improvement should make it more resilient and faster to bring back online. In the future we may move to a full cloud solution.
  • We installed end-point software and other security enhancements in local and national networks, this has worked well – once the initial bugs were worked out.
  • We established national cybersecurity policies and a cybersecurity office.
  • We set up archiving backup solutions on our scanners so we can switch easily in the event of the PACS being unavailable.
  • Many hospitals now maintain a stock of IT/network equipment that can be deployed in an emergency to rebuild basic systems. They have installed “dark” servers with policies/IT infrastructure that can be used to rapidly rebuild a rudimentary network in the event of the main system being taken down.
  • We are moving to email and other communication systems that are not based on site so that we can maintain contact with staff during an attack.

Internationally, some sites are moving their PACS to a cloud system. The cloud system has several advantages. For one, they typically have more layers of security with more dedicated staff. Additionally, there are multiple backups in the cloud so system restore is easier. Lastly, customer data is usually encrypted, making it harder for hackers to access it.

CARESTREAM ImageView Software delivers advanced security capabilities to protect you from the ever-changing cybersecurity risks threatening your standards for patient care, regulatory compliance, reputation and finances.

In addition to considering the steps we took in response, I encourage radiology departments to address other potential vulnerabilities like an under-resourced IT staff, multiple software versions, multiple applications, and unreliable backup on systems. And should you find yourself in this difficult position, my final words of advice are improvise, adapt, and overcome.

I hope you found our experience in responding to a ransomware attack in radiology useful. Thank you for reading!

About the author

Dr. Niall Sheehy, MB, MRCP, FFR RCSI

Dr. Niall Sheehy, MB, MRCP, FFR RCSI, is a radiologist and Associate Clinical Professor at St James’s Hospital – Trinity College Dublin. He has been a radiologist in practice since 2008. He is a former Dean of the Faculty of Radiologists, RCSI. He was the lead radiologist participating in the Irish National PACS procurement 2008-2012. Additionally, he oversaw the PACs transition when he was Clinical Director in Ireland’s largest hospital from 2013 to 2019. Dr. Sheehy presented this information in a session at ECR 2023. He delivered a presentation on this topic at ECR 2023.

The article is for awareness purposes only and does not constitute professional advice by Carestream Health.  Carestream makes no claim regarding the applicability of St James’s Hospital’s experience to your situation.

Learn more: Responding to a Cyberattack on Radiology by the Director of the Gallagher National Cyber Practice.

Reference

  • 1 https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

COMMENTS

  • reply

    Pelorus technology

    This blog post provides valuable insights into responding to ransomware attacks in radiology, a critical topic in today’s healthcare landscape. The author’s recommendations on prevention, detection, and recovery strategies are spot-on. It’s crucial for healthcare professionals to stay informed and prepared for such threats, and this post is a great resource to guide them. Cybersecurity in healthcare cannot be emphasized enough, and the tips shared here are a step in the right direction to safeguard patient data and maintain the integrity of medical services.

POST A COMMENT

This site uses Akismet to reduce spam. Learn how your comment data is processed.