We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

The annual ICGP conference today.
cyber crime

'Is anyone else terrified?': Doctors concerned as GPs are targets of ransomware attacks monthly

One doctor said that trying to avoid getting hit by hackers is like trying to “jay walk down the quays in Dublin”.

LAST UPDATE | 14 May 2023

GPS HAVE SPOKEN of their fear of being targeted by hackers in ransomware attacks, after learning that at least one practice falls victim on a monthly basis. 

At a talk on data protection today, one GP asked his colleagues, “Is anyone here terrified?”

He said that despite General Practice being at “the forefront of computerising medical records”, GPs are not being given “resources and protection” from the State when they are targeted by cyber criminals. 

“We are facing a tsunami,” the doctor said.

He added that trying to avoid hackers accessing health data, and therefore causing a breach of GDPR, is like “trying to jay walk along the quays in Dublin city”. 

Dr John Sweeney, Project Manager for the National General Practice Information Technology Group (GPIT), gave a talk on data protection risks at the Irish College of General Practitioners (ICGP) annual conference today. 

He said he is contacted by doctors each month who have been the victim of ransomware attacks. 

“I have seen some horror stories unfold. GPs tend to hire cloud storage companies to backup patient records, and in some cases, hackers have pretended to be the practice when contacting the data storage providers, and told them to stop backing up records. 

“Then, when they launch a ransomware attack, they know the doctors are trapped, because they don’t have a backup of the records”. 

Dr Sweeney said that it is difficult for doctors in smaller practices across Ireland to keep on top of the latest trends in phishing and ransomware attacks, and that often, they will make the situation worse after they have been hacked by asking their “regular IT man who fixes hardware” to try and remedy the situation. 

Under EU law, GPs are required to implement appropriate measures to protect public health data, and they can be fined up to €20,000,000, or 4% of their annual income for breaking the rules. 

They are also required to inform the Data Protection Commissioner (DPC) of a GDPR breach within 72 hours. 

Dr Sweeney said that the DPC is not trying “to trip GPs up”, and that it would be highly unusual for a small practice to be charged the maximum fine. 

“Usually, as long as GPs can show that they have taken all the necessary basic steps to ensure patient data is protected, the DPC is not going to come down hard on them,” he elaborated. 

Dr Sweeney said that increased protection needs to be there for GPs, especially as the eHealth agenda comes into effect. 

“GPs have been at the forefront of developing electronic records in Ireland, but as independent contractors, we are afforded little in the way of protection when it comes to ransomware attacks,” he explained. 

“As the Health Information Bill is progressed, GPs will be asked to provide more information to the HSE and hospitals. There is a need for increased protection. When the HSE was targeted in a ransomware attack in 2021, the National Cyber Security Centre stepped in and played a huge part. 

“The HSE also has a data protection team. GPs are essentially out in the cold, but are also handling the public’s medical information. 

“There should at least be a helpdesk, or some support there for us, even just a qualified IT consultant who can do what I am doing now,” Dr Sweeney said. 

However, he added that the Government has invested a large amount of money into IT programmes for GPs that have been “hugely welcome”. 

“‘ without the State funding these really beneficial programmes that are running like e prescriptions, CDM messaging and vaccination messaging, they would still be in the concept stage,” he said. 

Speaking to doctors today, Dr Sweeney told him that as hacker’s are developing ever more complex software, so it is “almost an inevitability” that general practices will get hit at some point in time. 

Doctors present at the talk asked if their practices should be hiring outside firms to test their cyber security systems. 

They were told that they could, but that it is very expensive, and that it wouldn’t prevent them from being hacked down the line if software is not updated, and the basics of cyber security are not implemented. 

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel