Last November’s Mytob worm attack on the network of Barts and the London NHS Trust led to its ‘major internal incident’ plan being activated, with some ambulances redirected from A&E.

The network failure was one of the most severe known to have occurred at an NHS hospital trust. To clean and restore the infected network, Barts had to draft in help from neighbouring trusts and a 40-strong team from BT.

An interim report on the incident says clinical services were affected, though effective alternative arrangements worked. However, it also says that protracted delays in getting the network back up, and in providing access to the clinical systems that run on it, created potential risks to patient care.

The incident began on Monday 17 November, but the network was still down two days later. Even with extra help, it took over a week to get all top priority areas reconnected. It took the trust until the 2 December to fully recover from the failure.

A trust spokesperson told E-Health Insider that an investigation into the incident continues: “The investigation into how the virus managed to evade our security is not yet complete. Until then it would be inappropriate to speculate on the outcome. It is expected that the results on the investigation will be presented to the trust’s board in late January.”

The interim report states that sometime before 17 November, the trust’s computer network became infected by a variant of Mytob.

“The virus started to have significant effects on the performance of the trust’s network from about 12 noon on Monday 17 November, making most of the trust’s applications, including those covering patient administration, pathology and imaging, inaccessible to clinicians during the afternoon.”

Initially the IT department responded by “isolating components of the network” and putting in place scripts to prevent infected PCs from accessing the network.

Parts of the network were back up by the evening. However, these measures proved ineffective when large numbers of staff attempted to log-in the following morning. This led to the network being taken down for a second time.

On Tuesday 18 November, the trust decided it needed to put its ‘major internal incident’ plan into action to ensure that key clinical systems continued while network access was being re-established.

As part of this process the trust sought “an ambulance diversion to limit the flow of emergency patients to the hospital.” The diversion held until the evening for trauma and complex surgery cases “because of pressure on blood cross-matching and access to cross-sectional imaging techniques.” The report says: “No patient safety incidents were recorded over this period.”

With the network down, only limited access to the system was available in A&E and other key areas. As a result, the trust had to revert to paper systems, including “runners” and manual requesting and communication of tests.

The report says recovery proved difficult for a number of reasons: getting the right script to counter the virus took time; with the network down it was difficult to know the extent of the problem; and disinfecting PCs had to be done locally at individual workstations rather than by remote updates. Problems with network stability arose when the trust tried to reconnect cleaned PCs to the network.

As a result, a decision was taken to draft in extra help. “The incident team requested the director of ICT to consider obtaining external support from other NHS providers and BT. All neighbouring trusts, including central London teaching hospitals, provided staff to help disinfect PCs.”

Even then, it took the weekend of 22-23 November to get through the majority of prioritised areas for reconnecting PCs to the network.

The interim report to the trust board by the medical director, Charles Gutteridge, concludes: “The systems supporting and maintaining the network have been shown to require urgent review and improvement. As more and more patient-related data is only available on IT systems, the need for resilience within the network becomes more critical.”

Finally, the report says the trust found itself wanting in the expertise required to deal with such a major network disruption. “It is clear that solving large scale network interruptions requires expertise and staff numbers which are beyond the day-to-day ICT resources of the trust.”

Related articles

Barts takes a week to recover from Mytob virus