Ransomware in Nunavut impacts healthcare
December 18, 2019
IQALUIT – A ransomware attack on November 2nd knocked out computer systems across the government of Nunavut, including healthcare databases. All healthcare centres remained open, but had to operate without the use of many systems, including the main Meditech electronic health record system and telehealth solutions.
“We never closed down any health centres, we never closed down the hospital, and we never refused any patient’s care,” Dr. François deWet, the Health Department’s chief of staff told the Nunatsiaq News.
“Everyone rose to the occasion and we were able to provide the best care we could to Nunavummiut.” (The people of Nunavut.)
Instead of caving into demands for a ransom payment, Nunavut has been rebuilding its systems.
As a result, there have been delays in the delivery of healthcare services.
“It was very challenging. In some cases, we had to contact Ottawa to have them fax up notes,” deWet said. Every patient was like a new one, and “it was like we had never seen that patient before,” he said.
As a result, a consultation that should have taken 20 minutes may have lasted 40 minutes or an hour.
“We went from having computerized record systems and all our laboratories and x-rays and everything else online to having no computers whatsoever. We had no electronic medical records, no access to imaging or to our lab work,” deWet said. “We really had to revert back to paper.”
With the recent return of email communications, the situation has improved, although non-urgent blood tests continue to be postponed until everything is back to normal.
But “our system is working, medical records are coping, the lab is coping. So, in terms of the services we can provide, there really hasn’t been a whole lot of change,” deWet said.
What he calls the “IT apocalypse” could have been much worse for healthcare delivery if the Health Department had not had a disaster management plan in place.
For example, within a day, a radiologist arrived and started reading emergency X-rays that could no longer be sent south online for an expert opinion.
Meanwhile, the lab could do tests, but could not communicate the results online.
“Basically, if they did a test, they would put the result on a piece of paper that they would bring to the emergency clinic or fax to a community,” deWet said. “My staff was very innovative.”
Having the disaster plan was key.
“It could be anything: the hospital burning down, a plane crash,” deWet said. “We didn’t plan for a ransomware attack, but the process was in place, so it had a big impact but not as bad as it could have been.”
Eventually the Health Department will have access to its patient medical records because these were all backed up. On the Friday before the ransomware attack, the department was transitioning to a new version of its Meditech system, deWet said.
“Because of this transition from one version to another, we actually had way better backups than we would usually have,” he said.
In some ways smaller communities coped better with the loss of connectivity, because their health centres transitioned from paper to electronic only about a year ago, he said.
“We’ve learned a lot from this,” deWet said. “One of the biggest challenges for us is that we did not have a list of physicians’ personal email addresses, so we had to go through contracts.”
And all their information and documents from prospective physicians were computerized. “So we relied on the memory of our recruiters,” deWet said.
That points to a need for a separate database of information to be stored in a separate system.
“Ransomware was an eye-opener to all of us,” deWet said. “It showed us how connected and dependent we are on technology.”
“The great thing about it is that we did have procedures, structures and policies in place exactly for this kind of emergency, so when it did happen, we were able to respond. We did not shut down services. It’s actually quite amazing when you think about it.”