Major global cyber-attack hits NHS and delays treatment

BMJ 2017; 357 doi: (Published 15 May 2017) Cite this as: BMJ 2017;357:j2357

Special measures-cause or effect of digital immaturity? Lessons from the cyber attack.

Between 2013 and 2017, 28 of the 153 acute trusts in England have been placed in special measures(SM) by the Care Quality Commission(CQC). Several more have been investigated(1,2). In the words of the CQC, “The challenge for the staff and leaders of a trust in SM should not be underestimated…..There are few greater leadership challenges in the NHS than turning round a trust in special measures, but it is one of the most important roles in the hospital sector(1).” These challenges include healthcare information management.

Last week, a different challenge in the form of the “ransomware” cyber-attack hit the NHS. Of the 48 trusts affected, 37 were attacked directly and shut down their systems as a precaution(3, 4). 12/37 trusts were in SM at some stage between 2013 and 2017. Acute trusts in SM were three times as likely to be affected by the recent cyber attack as trusts which were not in SM(OR 3.00, 1.26-7.14; p=0.01). Interestingly, 15/28 trusts had come out of SM by March 2017 and yet 7 of these 15 trusts were still affected by the cyber attack (3, 4).

This is a crude, unadjusted odds ratio and there are limitations, including lack of data about severity of disruption, level of “digital maturity” and exact reason for being in SM at each trust. However, given: (i) the scale of resource and effort spent on CQC inspection to ensure quality of care across domains at acute trusts, especially those in SM; (ii) the wide-ranging impact of SM on trusts, their patients and clinicians; (iii) the scale of effects of the cyber attack across the NHS; and (iv) the various theories and conspiracies which are already circulating regarding the cyber attack(4); this observation warrants at least further investigation. There are at least two lines of interpretation and enquiry.

First, it is plausible that poor IT infrastructure and a low level of “digital maturity” (including cyber-security) are among the factors most important in putting a trust “at risk” of poor clinical performance and consequently, SM (as well as cyber attacks). The CQC does already look at IT issues and states that “we have found that trusts with good and outstanding ratings have better digital systems in place”. However, events of last week will undoubtedly mean a far greater level of digital scrutiny during future CQC inspections.

Second, being put in SM can create an adverse environment that threatens IT infrastructure and security. Trusts in SM are already challenged by financial, recruitment and organisational pressures. When budgets are tight, IT costs are usually cut before acute services and the association between SM and lesser cyber security may reflect the relative lack of investment and emphasis on healthcare IT. The impact of IT/informatics on healthcare quality is relatively under-studied in research, and under-recognised in practice, but the cyber attack is a sobering and timely reminder.

Following the Wachter review(5), large-scale NHS health IT improvement programmes are underway, including the Global Digital Exemplars and the NHS Digital Academy. In parallel, Health Data Research UK will represent the largest spend on health informatics research to-date(6). Whether poor healthcare quality (denoted by SM) is a cause or an effect of digital immaturity is just one of the questions which can only be answered by bridging the gap between clinical practice and research.

1. Care Quality Commission. The state of care in NHS acute hospitals: 2014 to 2016
2. NHS Confederation. Key statistics on the NHS.
3. The NHS trusts hit by malware – full list. The Guardian. 12/5/2017.
4. Major global cyber-attack hits NHS and delays treatment. BMJ 2017; 357 doi: (Published 15 May 2017)
5. UK Department of Health. Making IT work: harnessing the power of health information technology to improve care in England. UK Department of Health; 2016 07/09/2016.
6. Medical Research Council. Director appointed for new UK health and biomedical informatics research institute

Competing interests: No competing interests

19 May 2017
Amitava Banerjee
Senior Clinical Lecturer in Clinical Data Science and Honorary Consultant Cardiologist
University College London
Farr Institute of Health Informatics Research, 222 Euston Road, London NW1 2DA