On June 22, 2024, the National Health Laboratory System (NHLS) became the victim of a cyber-attack that would wreak havoc on the South African public health system and its delivery of patient care. The NHLS website stood at a standstill for the entire weekend, with multiple theories postulated for its cause. The entire NHLS system became unavailable, with no access to documents, laboratory systems, or electronic sample testing. The attack placed patients’ safety and confidentiality at risk, and healthcare providers could not access historical or current results. It was clear that we were hostage to technology.
In the context of an under-resourced healthcare system like the state sector of South Africa, an attack of this magnitude is crippling. The burden that the cyber-attack placed on patients and their families, for whom accessing healthcare is often a basic need, the opportunity cost cannot be quantified. This attack's financial and logistical effects will undoubtedly ripple through the healthcare system for many years.
Cyber-attacks are common, and there are historical accounts of healthcare entities falling victim worldwide and locally. WannaCry ransomware, in May 2017, launched an attack that crippled a third of hospital trusts across NHLS England. Delivery of care was abruptly terminated.(1)
South Africa has had an upstroke of cyber-criminal activity. The NHLS attack was preceded by a cyber-attack in January 2024 by the International Trade Administration Commission of South Africa (ITAC).(2) A security breach also befell the Companies and Intellectual Property Commission (CIPC) in February 2024.(3)
In June 2020, the second-largest private hospital operator in South Africa, Life Healthcare Group, fell victim to a cyberattack. Although the full extent of the attack remains unclear, Life Healthcare Group confirmed that the attack affected admissions systems, business processing systems, and e-mail servers.(4) Two months later, South Africa suffered a massive data breach when Experian, a credit bureau agency, exposed personal information to a suspected fraudster. The exposed personal information affected approximately 24 million South Africans and 800,000 business entities.(5) The remainder of 2020 witnessed various cyber incidents affecting South Africa's financial, public, construction, and telecommunication sectors. In 2021, the attractiveness of South Africa as a cyber target was further demonstrated by the large-scale cyberattack that affected Transnet, the South African state-owned rail, port, and pipeline company.(6) According to Noëlle van der Waag-Cowling, a cyber programmer lead at the Security Institute for Governance and Leadership in Africa, the incident has been described as “cyber warfare.”(7,8) It served as a warning to South Africa.
Given the background of these cyber-attacks, all healthcare institutions that depend on technology for delivering their services should have assessed their security systems. Perhaps the NHLS did not preempt these warning flags and maintained its security status quo.
As the country rolls out the contentious National Health Insurance (NHI), which is paperless and intrinsically technologically dependent, a discussion concerning a detailed IT and data security plan should be at the helm. As it stands, there are no detailed safety plans in place for a potential cyber-attack. Can the authorities in charge of the NHI systems be trusted as the custodians of patient information and personal health profiles?
The challenge with any circumstance that affects a healthcare system is quantifying the actual cost to human life, quality of care, and emotional burden. Delays in access to oncology treatment because of lack of access to histology would cause several patients to have disease progression. Many patients could not have chronic medications tapered at their follow-up visits due to the lack of results. Many of our patients factored in transport costs, leave from work, and social arrangements to make it to clinics where they could not be helped adequately because their results were unobtainable. The incident also highlighted poor timeous communication and a poor backup system from NHLS to its clients, and this affected the service of essential health care across all levels of health care, from primary healthcare facilities to central hospitals, with a definitive increase in morbidity and mortality.
The laboratory moved from online efficiency to manually entering tests, and the NHLS phoned out their results. For hospitals without a private on-site lab, this delay was significant. We were transported back to a time of unavailable or prolonged lab turnaround times, and the need for efficient clinical triage and decision-making became paramount. In a world with nearly everything at our fingertips, this period placed medical care back in the hands of all physicians in the state sector. In those moments, we were reminded of the importance of a thorough clinical examination and meticulous record-keeping.
We have learned through this experience that technological advancement has restrictions, and while it affords us the benefit of efficient access to information, any safety violation can derail this access. Thus, key stakeholders must reassess their security structures and defenses. To mitigate these risks, healthcare organizations must prioritize robust cybersecurity measures, including employee training, regular software updates, and implement advanced threat detection systems. Meticulous record-keeping should be the gold standard for all departments, and alternative solutions for interim access should be explored. As more healthcare departments concerned with patient investigation are going online and becoming cloud-dependent, including radiology and nuclear medicine, the urgency to provide secure, efficient, and uninterrupted results should become a national priority.
At a time when technology continues to invade and occupy a larger space in the healthcare setting, and with the emergence of artificial intelligence, a cyber-attack of this magnitude should make us carefully consider how we manage our technological systems to benefit the healthcare system with the least downside risk.