Major global cyber-attack hits NHS and delays treatmentBMJ 2017; 357 doi: https://doi.org/10.1136/bmj.j2357 (Published 15 May 2017) Cite this as: BMJ 2017;357:j2357
All rapid responses
Tale of an NHS doctor: Vigilance regarding the virus, biological- and cyber-
A cliche but these are truly unprecedented times as the COVID-19 pandemic envelops the world, in some cases changing life as we know it. The impact is clear from job losses, obliteration of direct social contact, to the tragic loss of life. Of course our thoughts and prayers are with those who have paid the ultimate sacrifice. (1)
As an NHS GP it has been a privilege to work with my colleagues as we don our stethoscopes and enter the trenches as front line staff as we take on the scourge of this biological virus. This current pandemic has also made me think about another type of virus, I will call the foe: this foe is man-made, sinister and with one real purpose, which is to destroy as demonstrated by the ‘wannacry attack’ on the NHS in 2017. (2). Of course this foe is commonly referred to as a ‘cyber virus’.
The thought to write and share my experience entered my mind, during this pandemic, as my young family and I, continue to deal with a cyber virus attack which appears to have originated from a trip abroad in late 2019 during our wedding anniversary. We noted while still abroad that our smart phones had possibly been ‘hacked’, and subsequently arrived back in the UK to find that our emails, mobile phone numbers, home network and financial information had been compromised.
The impact of the personal cyber attack became clear when my ability to make basic electronic communication became challenging. However, I soon realised how a cyber attack can pose difficulties for simple tasks, such as sending emails and making phones calls, activities that we all take for granted in today’s world. We have worked diligently since then to remedy the situation and resume normal ‘digital’ life.
As a doctor, a lack of access to reliable email and mobile technology has been challenging regarding my ability to contact others or be contacted. Significant steps have been taken to resolve these matters, however, I feel that in these times of increasing reliance on technology, there should not only be a desire for the individual to become more knowledgeable about cyber security but possibly there should be a clear strategy / guideline, ‘an SOS’ if you will, at the national, sun national and community level, for any citizen who has been a victim of cyber virus attach (cyber crime). Of course there are helplines and online resources but my experience tells me that during a cyber attack, a face to face discussion with an information technology expert may be the best option initially. This face to face approach is especially important, as one tries to regain confidence in the system which has ultimately been compromised.
The current pandemic has accelerated our need as doctors and health workers to use online technology in medical practice which can be a fantastic tool but of course has additional risks.(3). It got me thinking about how many of us actually know about the risks and how we and our systems are exposed? For example, I am sure hordes of primary school children can now recite in ‘parrot fashion’ and rightly so, the guidance regarding washing their hands thoroughly for at least 20 seconds, adhering to social distancing, and to only leave their homes for essential travel. However, what steps would many of us take to prevent a cyber virus attack? Especially in this current pandemic when electronic activities and use are the life-blood of the nation and critical to our day to day running of things.
I am aware that many cyber virus attacks occur daily, and are largely manageable but I write this article to hopefully help the nation, especially colleagues, to be vigilant regarding criminal schemes such as, phishing emails, phishing websites, fraudulent ‘push text messages’, challenges of ‘unsecured public Wi-Fi’, and the importance of robust passwords, to name but a few cyber security issues. Furthermore, anti-virus software can of course be a useful tool to combat many online attacks, what much do most of us know about this tool?
So, as we try our best to work as a nation, to tackle this biological virus COVID-19 pandemic, I urge us all to also please ‘stay safe’ online to prevent an online ‘cyber virus attack’, in these truly unprecedented times. Simply put, ‘please think before you click’.
1 Michael Stuart Bronze. Fast Five Quiz: COVID-19-Medscape- Mar 20, 2020
2 Wannacry 2017 NHS: www.nao.org.uk.report
Dr Onebieni J. Ana, BSc (Hons), MBBS, MSc SEM, MRCGP
Competing interests: No competing interests
Between 2013 and 2017, 28 of the 153 acute trusts in England have been placed in special measures(SM) by the Care Quality Commission(CQC). Several more have been investigated(1,2). In the words of the CQC, “The challenge for the staff and leaders of a trust in SM should not be underestimated…..There are few greater leadership challenges in the NHS than turning round a trust in special measures, but it is one of the most important roles in the hospital sector(1).” These challenges include healthcare information management.
Last week, a different challenge in the form of the “ransomware” cyber-attack hit the NHS. Of the 48 trusts affected, 37 were attacked directly and shut down their systems as a precaution(3, 4). 12/37 trusts were in SM at some stage between 2013 and 2017. Acute trusts in SM were three times as likely to be affected by the recent cyber attack as trusts which were not in SM(OR 3.00, 1.26-7.14; p=0.01). Interestingly, 15/28 trusts had come out of SM by March 2017 and yet 7 of these 15 trusts were still affected by the cyber attack (3, 4).
This is a crude, unadjusted odds ratio and there are limitations, including lack of data about severity of disruption, level of “digital maturity” and exact reason for being in SM at each trust. However, given: (i) the scale of resource and effort spent on CQC inspection to ensure quality of care across domains at acute trusts, especially those in SM; (ii) the wide-ranging impact of SM on trusts, their patients and clinicians; (iii) the scale of effects of the cyber attack across the NHS; and (iv) the various theories and conspiracies which are already circulating regarding the cyber attack(4); this observation warrants at least further investigation. There are at least two lines of interpretation and enquiry.
First, it is plausible that poor IT infrastructure and a low level of “digital maturity” (including cyber-security) are among the factors most important in putting a trust “at risk” of poor clinical performance and consequently, SM (as well as cyber attacks). The CQC does already look at IT issues and states that “we have found that trusts with good and outstanding ratings have better digital systems in place”. However, events of last week will undoubtedly mean a far greater level of digital scrutiny during future CQC inspections.
Second, being put in SM can create an adverse environment that threatens IT infrastructure and security. Trusts in SM are already challenged by financial, recruitment and organisational pressures. When budgets are tight, IT costs are usually cut before acute services and the association between SM and lesser cyber security may reflect the relative lack of investment and emphasis on healthcare IT. The impact of IT/informatics on healthcare quality is relatively under-studied in research, and under-recognised in practice, but the cyber attack is a sobering and timely reminder.
Following the Wachter review(5), large-scale NHS health IT improvement programmes are underway, including the Global Digital Exemplars and the NHS Digital Academy. In parallel, Health Data Research UK will represent the largest spend on health informatics research to-date(6). Whether poor healthcare quality (denoted by SM) is a cause or an effect of digital immaturity is just one of the questions which can only be answered by bridging the gap between clinical practice and research.
1. Care Quality Commission. The state of care in NHS acute hospitals: 2014 to 2016 http://www.cqc.org.uk/sites/default/files/20170302b_stateofhospitals_web...
2. NHS Confederation. Key statistics on the NHS. http://www.nhsconfed.org/resources/key-statistics-on-the-nhs
3. The NHS trusts hit by malware – full list. The Guardian. 12/5/2017. https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-...
4. Major global cyber-attack hits NHS and delays treatment. BMJ 2017; 357 doi: https://doi.org/10.1136/bmj.j23575 (Published 15 May 2017)
5. UK Department of Health. Making IT work: harnessing the power of health information technology to improve care in England. UK Department of Health; 2016 07/09/2016.
6. Medical Research Council. Director appointed for new UK health and biomedical informatics research institute https://www.mrc.ac.uk/news/browse/director-appointed-for-new-uk-health-a...
Competing interests: No competing interests