The National Health Laboratory Service (NHLS), which had expected to restore its systems by 15 July after hackers forced it to revert to paper records, is still not fully operational, as a new report reveals an alarming rise in cyber attacks in the healthcare sector.
The backbone of SA’s health system, providing diagnostic tests and holding electronic records for patients using the public health system, the NHLS also offers some highly specialised tests that are not available in the private sector.
The cyber attack on 22 June forced doctors to revert to paper records, and delayed test results and operations. It also disrupted the NHLS’ financial and human resources systems, affecting its ability to pay staff and suppliers.
NHLS spokesperson Mzi Gcukumana told The Citizen they initially projected that its systems would be fully operational by 15 July. “The NHLS reports that some systems are now operating, with more being available as soon as appropriate security measures are completed. We are making considerable progress and remain committed to completing the restoration of all components.
“The NHLS recognises the considerable impact this delay has had on public health facilities and the people of South Africa, and we sincerely apologise for any inconvenience caused. However, we are committed to resolving these issues and are convinced that our teams are making significant efforts towards a robust and fully functional system,” Gcukumana said.
Gcukumana said rebuilding the NHLS’ systems had been an “intricate and challenging endeavour.” “It entails not just restoring data and services, but also ensuring that our infrastructure is robust, safe, and resistant to future intrusions. Our priority is the safety, security, and reliability of our systems, which are essential for the successful functioning of public health services."
Earlier this month, the International Healthcare Report released by KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, revealed the alarming global rise of cyberattacks on the healthcare sector and the urgent need to prioritise cybersecurity
According to the report, Africa was the global region with the highest average number of weekly cyberattacks per organisation in 2023.
In the first three quarters of 2023, the global healthcare sector experienced 1 613 cyberattacks per week, nearly four times the global average, and a significant increase from the same period the previous year.
It showed that one in every 19 organisations on the continent experienced an attempted attack every week.
MyBroadband reports that the BlackSuit hacking group that attacked the NHLS reportedly stole around 1.2 terabytes of data, including third-party, client and patient information.
This is according to Check Point workspace solutions architect Shayimamba Conco, who said situations like these could force institutions like the NHLS into a corner to give in to a ransom.
Speaking to 702, Conco said: “When it comes to ransomware attacks, it’s no longer traditional ransomware attacks whereby data is just encrypted.” “You’ll find now you’ve got double extortion or even to the level of triple extortion,” added Conco.
Ransomware attacks typically involve encrypting the victim’s data and extorting them for a decryption key. Attackers also often exfiltrate sensitive data and threaten to leak it online unless you pay.
Conco said roughly 1.2 terabytes of data was stolen in the NHLS ransomware attack.
“All this data, you’ve got third-party information, your customers, your clients, your patients, and so forth,” said Conco.
“You’ll find that the institutions are pushed into a corner to essentially give in to the ransom.”
The NHLS shut down its IT systems on 24 June 2024, following a breach of its systems the weekend before.
The shutdown affected its emails, website, and system for retrieving and storing patients’ lab test results.
NHLS CEO Koleka Mlisana said the organisation’s Incident Response Team had been deployed to handle the issue.
“This team is working around the clock to determine the scope of the intrusion and deploy the required safeguards to secure our systems and data,” she said.
“Fortunately, our Oracle environment and Trakcare database are not affected, but the entire environment has been shut down to prevent further damage.”
Mlisana revealed the name of the hacking group responsible for the attack a week after it happened.
She said the attackers had left behind a message in which they identified themselves. Mlisana emphasised that her organisation has not and will not communicate with them.
The CEO added that cyber specialists were working to stabilise the system and clear it of harmful viruses. They are also adding further layers of security to prevent further damage.
In addition to stealing data, Mlisana said the group had erased large portions of data, including backups. However, she noted that there was no evidence that patient data had been erased.
She added that there are indications that the group could still be active within the NHLS’ systems.
The attack could have significant implications for the South African healthcare industry, as the NHLS has a network of 265 diagnostic pathology labs servicing local healthcare facilities.
NHLS chair Eric Buch said it was unclear when the NHLS would be fully operational. An investigation by its audit and risk team was under way to determine whether the system could have been better protected. No demand for ransom had been made, and the NHLS was not engaging with any parties claiming to be the hackers behind the attack, he told BusinessLIVE.
The NHLS has taken steps to mitigate the effect of the attack on its systems, including using an NHLS-designed platform called eLABS to provide clinicians with TB and HIV-related results that were generated before the security breach.
The platform also allows electronic registration of samples, and electronic results for newly registered specimens. The NHLS has also implemented a critical tests list to ensure urgent tests were prioritised.
Hack delays TB study
Meanwhile, apart from major disruptions to routine healthcare services countrywide, the cyber attack has also paused plans for the paediatric TB tests, Farzana Ismail, a clinical microbiologist with the lab network, told Zano Kunene from Bhekisisa that it “remains a priority”.
The test pilot, in which stool samples were to be tested for signs of the TB germ, would have taken place over the next two months at six labs in Gauteng, the Eastern Cape and the Western Cape, she had told Bhekisisa at the 8th TB Conference in Durban in early June. The new method will be rolled out at state labs nationwide, the NHLS confirmed.
Finding TB in children is difficult, because under-fives often have only a small amount of the bacteria in their lungs. This means the bug might not show up in a sputum sample, and the test result could come back negative even if the child has TB.
Around 27 000 South African children under 15 are thought to have TB – almost 10% of the country’s total cases – and about 40% of them went untreated in 2022. TB is the third biggest killer in this age group.
Roughly six out of every 10 childhood TB cases are among under-fives, the group in whom it’s particularly difficult to detect the bug.
The difficulty in getting good sputum samples from these children means other, often more uncomfortable, and sometimes painful, ways have to be used to get a specimen good enough to give a reliable result.
South Africa’s guidelines on how to test and treat children for TB were last revised in 2013 and, says Norbert Ndjeka, chief director for TB at the National Department of Health, they are “impatiently waiting for the updated paediatric TB guidelines (to be published)” to help them better diagnose children, because “we’re not doing particularly well in this area”.
Stool is cool
“We’re trying to get to child-friendly methods, like taking a mouth swab or stool sample, so that it’s not so invasive,” says Karen du Preez, a senior clinical researcher at the Desmond Tutu TB Centre.
“The reality is that because kids typically don’t have a lot of bugs, the diagnostic accuracy in the current tests is expected to be low.”
Using stool samples to test for TB will be included in the new guidelines, which are being written jointly by the health department and the TB Think Tank – experts who advise the government on policies for curbing TB infections.
The WHO has recommended testing faeces for TB since 2021, and in countries like Vietnam, Zambia and Ukraine, the method is widely used. Moreover, because the same rapid-result equipment can be used as for sputum tests, namely the GeneXpert machine, any lab that’s already set up for this will be able to run tests on stool samples too.
With a GeneXpert test, a sample (sputum or stool) can be analysed for TB within two hours, and in South Africa, most labs where TB gets tested are equipped with such machines.
Findings from a systematic review of studies in Africa and Asia, where stool samples were used to test for TB, found that the bug was correctly picked up in, on average, about 67% of close to 1 700 cases. This is in line with the WHO’s ideal sensitivity rate of 66% for rapid non-sputum-based TB tests in children. (Africa and Asia make up more than two-thirds of all TB cases globally.)
Correctly identifying kids who did not have TB was almost perfect when using the stool sample test, the review showed. (The stool test’s specificity was 99%, meaning only one out of every 100 test results was a false positive.) Having a TB test with a high specificity means fewer people will incorrectly be put on antibiotic treatment when they don’t need it, for between six and nine months, and so add to the chances of drug-resistant germs developing.
In the same way, using a TB test that yields accurate results fast and so identifies children who do have the germ, means they can get on to treatment early, rather than having to wait for a bacterial culture test to be done, which can take two to six weeks.
Findings of a systematic review of studies in which mouth samples were used for TB tests found that correct results showed up in only 5%–42% of children.
BusinessLIVE article – NHLS still not fully operational after cyberattack (Open access)
See more from MedicalBrief archives:
NHLS cyber hack continues to cause chaos in hospitals
Cyber attacks create havoc in state hospitals in SA, and globally
Key health service units targeted by hackers
Experts punt stool testing for TB in children instead of sputum tests
SA study flags growth stunt from paediatric TB