Nunavut’s health-care system overcomes ransomware challenges

Over the past month, Nunavut’s health centres and the Qikiqtani General Hospital in Iqaluit have remained open despite the Nov. 2 ransomware attack that shut down the Government of Nunavut’s computer systems.

This made it impossible for health workers to consult electronic medical records, use the telehealth videoconferencing system or, until recently, even send emails.

“We never closed down any health centres, we never closed down the hospital, and we never refused any patient’s care,” said Dr. François de Wet, the Health Department’s chief of staff.

“Everyone rose to the occasion and we were able to provide the best care we could to Nunavummiut.”

But there is “no estimated time of arrival yet” for the return of access to medical records and telehealth, which the GN continues to work on, de Wet said.

Since the ransomware attack, if you have been a patient in the Nunavut health care system, you probably experienced some delays because you may have had to repeat your case history.

“It was very challenging. In some cases, we had to contact Ottawa to have them fax up notes,” de Wet said.

Every patient was like a new one, and “it was like we had never seen that patient before,” he said.

As a result, a consultation that should have taken 20 minutes may have lasted 40 minutes or an hour.

“We went from having computerized record systems and all our laboratories and x-rays and everything else online to having no computers whatsoever. We had no electronic medical records, no access to imaging or to our lab work,” de Wet said. “We really had to revert back to paper.”

With the recent return of email communications, the situation has improved, although non-urgent blood tests continue to be postponed until everything is back to normal.

But “our system is working, medical records are coping, the lab is coping. So, in terms of the services we can provide, there really hasn’t been a whole lot of change,” de Wet said.

What he calls the “IT apocalypse” could have been much worse for health care delivery if the Health Department had not had a disaster management plan in place.

That plan included contacting colleagues in the south, explaining the situation and finding solutions quickly, de Wet said.

For example, within a day, a radiologist arrived and started reading emergency X-rays that could no longer be sent south online for an expert opinion.

Meanwhile, the lab could do tests, but could not communicate the results online.

“Basically, if they did a test, they would put the result on a piece of paper that they would bring to the emergency clinic or fax to a community,” de Wet said. “My staff was very innovative.”

The Qikiqtani General Hospital at night: without a disaster plan to call on, the QGH might not have been able to deal with the ransomware attack of early November. (Photo by Dustin Patar)

Having the disaster plan was key.

“It could be anything: the hospital burning down, and a plane crash,” de Wet said. “We didn’t plan for a ransomware, but the process was in place, so it had a big impact but not as bad as it could have been.”

Eventually the Health Department will have access to its patient medical records because these were all backed up. On the Friday before the ransomware attack, the department was transitioning to a new version of its Meditech system, de Wet said.

“Because of this transition from one version to another, we actually had way better backups than we would usually have,” he said.

In some ways smaller communities coped better with the loss of connectivity, because their health centres transitioned from paper to electronic only about a year ago, he said.

“We’ve learned a lot from this,” de Wet said. “One of the biggest challenges for us is that we did not have a list of physicians’ personal email addresses, so we had to go through contracts.”

And all their information and documents from prospective physicians were computerized.

“So we relied on the memory of our recruiters,” de Wet said.

That points to a need for a separate database of information to be stored in a separate system.

“Ransomware was an eye-opener to all of us,” de Wet said. “It showed us how connected and dependent we are on technology.”

“The great thing about it is that we did have procedures, structures and policies in place exactly for this kind of emergency, so when it did happen we were able to respond. We did not shut down services. It’s actually quite amazing when you think about it.”