Lessons Learned from a Cyberattack on the Healthcare System of Newfoundland and Labrador: A Radiology Perspective

Healthcare cyberattacks have been steadily rising since mid 2020. ¹ In late October 2021, it became apparent that our local medical information technology (IT) systems were inaccessible. Shortly after, the provincial government released the first official announcement regarding a cyberattack on Newfoundland and Labradors’ health authorities. ² In an effort to maximize the province’s ongoing cybersecurity, publicly available details were limited. We wish to share our lessons learned during the cyberattack.

1. Prompt and consistent communication is paramount.

Effective communication during a cyberattack relies on continuous discussions between medical imaging staff, clinicians, patients, and healthcare authorities.^3,4

IT shutdown information was communicated via various modalities (i.e., secure applications, text, call, email, and face-to-face discussions) with all medical imaging staff. Daily dissemination of knowledge was a priority to maximize patient safety and to enable radiologists to inform and protect themselves from a medico-legal perspective. ³

Succinct radiology reports addressing clinical questions were preliminarily typed in the “Notes” section of the Picture Archiving and Communication System (PACS). “Notes” are temporary on PACS. Shortly after, a transition occurred, involving adding reports to the permanent “Pop-up boxes” on PACS. This transition provided referring physicians with straightforward and direct access to preliminary reports on PACS. As per pre-cyberattack, emergent verbal communication was provided to ordering physicians. After discussion with local radiologists and the Canadian Medical Protective Association, it was decided to add a short medico-legal liability disclaimer to these preliminary subsequent final dictated reports.

2. (Not completely) out with the old (paper-based system).

Pre-cyberattack, our department used a hybrid paper/digital medical imaging requisition system. Fortunately, familiarity with paper imaging requisitions eased the transition to an entirely paper-based system during the cyberattack. ³ Additionally, reduced workflow during the COVID-19 pandemic helped to prepare our department for a rapid transition to urgent/emergent imaging studies only during the cyberattack.

3. Correct patient identification prioritizes safety.

After a few iterations, a paper-based safety identification system was developed involving medical imaging requisitions with multiple patient identifiers. At each diagnostic imaging modality, technologists recorded patient information on paper as official record. Staff radiologists received a photocopied version of the notebook as their “worklist” which they were responsible for reporting.

4. Judicious trial and error is the way forward.

Amidst uncertainty, actively testing solutions is more effective than remaining idle. ³ For example, decisively and strategically trialing several imperfect paper-based systems allowed our department to eliminate ineffective strategies and to better adapt existing strategies to achieve success more efficiently. Accordingly, a non-judgmental, flexible, and adaptable approach was fundamental to achieving our goals.

In conclusion, it is essential to have a system in place to efficiently modify workflow during a cyberattack. Prompt and consistent communication between all physicians, technologists, and administration is the first step. Pivoting to systems independent of current IT methods allows continued provision of medical imaging services, albeit at a slower rate. As always, practicing with patient safety first culture including having multiple backups to correctly identify patients is integral to ensure patient centered healthcare.