Skip to main content

We are working to bring Devices, IT services and applications back as quickly and safely as possible. Some services are unavailable at the moment. Read about how to restore your device safely.

Clinical guidance

Last updated on 18 June at 5.30 pm

State Indemnity Guidance

The State Claims Agency (SCA) recognises the enormous impact of the recent IT cyber attack on the provision of health care to the public.

The SCA has issued guidance to doctors, nurses, midwives and allied healthcare professionals on State indemnity, incident reporting and risk management guidance, under the Clinical Indemnity Scheme and General Indemnity Scheme.

The advice is of particular concern to clinicians, and in particular to the public work being undertaken in private hospitals.

Read State indemnity guidance in full

Memo from office of the Chief Clinical Officer

Version 6, issued on 18 June 2021

Status Update

Our focus, as always, is on the safe delivery of patient care. However, I remain conscious of the impact of this incident on staff health and wellbeing. I acknowledge the impact this lengthy incident is having on all grades at all levels within the service. Once again, I want to express my gratitude to you as you continue to manage this crisis with the highest level of professionalism and commitment. The agility of your response in such a dynamic and high-risk environment is remarkable. I am grateful also to patients and service users for their continued patience and support through this difficulty period.

This is my sixth memo the purpose of which is to provide updates on clinical risks and provide guidance for clinical services as we enter the fifth week of the HSE IT System Cyberattack. Recovery has been established for several weeks and activity restored on most sites. This week has seen a sustained increase in ED presentations, both GP referrals and self-referrals. However, while in recent weeks the increased footfall did not convert to admission, it did so this week. Hence, trolley numbers have risen, and we share an awareness and concern about the added strain and risk this generates. Colleagues in the Emergency Medicine programme have attributed this to post lockdown injuries, increased frailty, and the duration of the cyberattack. Length of stay is also increasing on acute sites because of the preponderance of unscheduled admissions and the persistent slowing of internal systems Communication has re- issued to GPs and by public media to raise awareness of potential delays in unscheduled care and to avoid hospitals where possible.

Colleagues in ICT have advised that operational capacity will remain constrained until all ICT systems, including the many smaller systems, are restored. Colleagues in ICT are fully apprised of the clinical risks generated by this cyberattack and the cumulative nature of the risk. This week, the requirement to restore internet access to enable many clinical applications has been escalated. We are aware of the staff, service, and equipment dependence on internet access. However, international experience has shown that 56% of organisations who have experienced a cyberattack experience a second attack and 10% of organisations are attacked by an agent that has been within their system for three years. Such is the severity of this attack, an estimated 40 % of email accounts cannot be restored in the medium term. There must be sufficient assurance that systems have been cleansed and adequate protection is in place. With that in mind ICT will provide limited internet access to critical applications and are preparing a list of priority sites. They expect to test wider internet access in approximately 10 days (~ July 4th).

The onerous task of uploading backlogs and reconciling patient records is progressing and the level of stress and risk involved in this process is well recognised. As this work progresses evidence of incidents and near misses emerge. It is critical therefore that we continue to manage these risks to mitigate them where possible, identify, report, and manage incidents and share lessons learned to prevent recurrence. The State Claims Agency has received approximately 1,400 paper National Incident Report Forms thus far.

Your commitment and creativity in developing highly innovative ways to deliver the safest possible care in extraordinarily difficult circumstances has served patients well in recent weeks. Over the first weeks of the incident, even with these contingencies in place and with limited ICT recovery, most providers curtailed services.

Scheduled care has, of necessity, now resumed in hospitals. Recovery in community services has been slower and this represents a burden on elements of the care pathway. While the level and pace of recovery remains variable, and I am grateful for your collective patience and collaboration.


Advice on clinical management over the course of this incident has been underpinned by the need to prioritise patient safety and maintain critical clinical services with the lowest practical level of risk in a very difficult environment. The ICT focus has shifted to recovery of multiple smaller ICT systems, integration of major systems and community service restoration. In clinical services the focus is on management of recovery and the safe resumption of services as quickly as is practical while clearing administrative backlogs. It remains essential that this is closely monitored at service level to enable those services that can deliver scheduled care with an acceptable level of clinical risk to do so, without overburdening affiliated services. Radiology and laboratory services ability to resume activity remains limited while they upload investigations undertaken during the cyberattack, authenticate reports, and issue addendums or results. Overall operational capacity will remain restricted until full connectivity is restored. The principles are to:

  1. Prioritise patient safety.
  2. Protect unscheduled and urgent care.
  3. Ensure continuation of time-critical care and treatment e.g., dialysis, surgical procedures, radiotherapy.
  4. Ensure involuntary admissions in Mental Health Services are conducted as safely as possible.
  5. Enable staff to work as safely as possible as we recover the usual digital support and enablement.
  6. Reinstate services in a manner that does not threaten recovery or compromise the safe follow-up of patients seen during the cyberattack.
  7. Provide meaningful communication to address patient’s and other service users concerns and enable informed decision making.
  8. Support staff and acknowledge the risks to them of operating in an environment where we begin to recover the usual information systems support.

Updated Risks

The integrated clinical and operational risk subgroup of the National Crisis Management Team meets each Monday, Wednesday, and Friday to guide the operational response based on clinical priority.

Earlier memos described how this incident impaired access to patient records, information management systems and timely accurate diagnostic tests. As such it creates a risk to patients and service users because of inadvertent clinical error, delayed diagnosis, and delayed treatment. The cumulative effect of risks is now evident and new risks are emerging as scheduled procedures become urgent etc. Risk accrues daily as does the adverse impact on recovery. Backlogs in clinical appointments and reconciliation of patient records and investigations with originals remain an independent risk that will prolong the recovery phase of this incident placing additional pressure on our system, staff and ultimately patients.

We identified overarching clinical risks which are shared by all services inherent in the absence of current IT and digital systems a month ago and they remain active until recovery is complete:

  1. Risk of harm to patients because of clinical errors related to lack of access to clinical notes.
  2. Risk of harm to patients because of reduced access, delayed diagnosis, and treatment due to widespread slowing of all internal processes.
  3. Risk of harm to patients because of severe restriction in GP access to diagnostic laboratory and radiology tests.
  4. Risk of harm to patients because of reliance on telephone and written ordering of tests and communication of results, with risk of lost results.
  5. Risk of harm to patients because of manual reporting with transcription errors in handwritten results.
  6. Risk of potential breaches of GDPR, which must be managed in the context of the immediate priority of managing clinical risk to the patient.
  7. Patient and service user fear and frustration related to uncertainty and delays which will increase as the incident progresses; and
  8. Risk to staff of working in a high stress environment in the absence of usually IT supports.

Likewise, the specific risks for foundational services and particular patient groups remain active, albeit mitigated by substantial recovery e.g., Laboratory, Radiology and Cancer. We continue to capture additional risks and mitigations for important clinical areas e.g., Endoscopy, High Tech Infusions

Clinical Guidance:

  1. Information updates are provided on the HSE website and individual hospital websites. These are continually revised as the incident and recovery progresses and should be referred to for the most up-to-date information available.
  2. The State Claims Agency has published guidance on their website with regards to indemnity
  3. A daily Cyber Security Incident update is posted on the HSE website and can also be followed @hselive on Twitter.
  4. CCO advice on options for the management of accumulated laboratory samples issued on May 25 remains active.
  5. Communication has issued to all sites outlining presumptive ICT recovery timelines for major systems including email
  6. The differential pace and level of recovery is such that the ability to deliver clinical services will also vary. Active ongoing, communication with local management and GPs is essential to optimise care.
  7. Advice to GPs has issued and is updated weekly. Outward HealthLink communication to GPs has been restored. Arrangements are in place to enable GPs to order a limited suite of laboratory tests from private laboratories. This is a temporary measure to while systems recover in the hospital laboratories that normally provide service to GPs.
  8. Services to prioritise delivery of urgent, unscheduled, and time-critical care within the limitations of the impact of the incident.
  9. Services should continue provide scheduled care subject to risk assessment in the recovery phase. The risk assessment should consider the impact on other services.
  10. The need to safely manage volume of demand is once again reiterated. The efforts made across the community and hospital service to reduce requests for investigations have made an important contribution to managing this situation and it is essential that this continues as a very high level of demand will compromise overall safety and recovery.
  11. As recovery progresses, clinicians should remain mindful of the differential pace of recovery in some diagnostic services when scheduling activity and ordering investigations.
  12. Support for less experienced colleagues is essential as is peer to peer support under these, now prolonged, difficult circumstances.
  13. It is important for all staff to comply with the National Incident Management Policy. Paper base systems should be used pending the re-activation of the electronic National Incident Management System (NIMS).

Thank you all again for your response to this crisis and to assure you that, within the HSE and with Government departments, we are committed to support you as we work to resolve and restore IT systems to deliver clinical care. Please disseminate this memo to colleagues who do not have access to HSE email or mobile phones.

Related Content

Page last reviewed: 15/05/2021
Next review due: 15/05/2024