I feel an upwelling of sympathy for Laura McCoy, information governance manager, and Matt Connor, head of IT, from Southport and Ormskirk Hospital NHS Trust, which was among the60-odd NHS organisations hit by the recent Wannacry cyber attack.
Last week Digital Health News reported that the trust had published a board paper on developing a cyber security action plan just days before being hit.
It’s their names who appear at the bottom of the “Cyber Security position statement and Action Plan May 2017” starting on page 20 of 169 in the board minutes.
Good idea, bad timing
The paper they presented was a good starting point, given where they were. Their plan to have a full review of legacy systems and patch management policy and processes up and running by August 2017 sounded like a good idea at the time. Too late, unfortunately.
We all have to start somewhere
Any organisation that suggests that they’ve never been in the same boat is either lying or delusional, for the simple reason that we all had to start somewhere.
I have no idea of the context, but somebody somewhere in that organisation decided to take cyber threats seriously, and act on it. The paper is honest about the exposure, and has tangible actions with dates on it. I’m not going to undertake a line-by-line critique or endorse their actions, but it is worth pointing out that they acknowledge they don’t have cyber security expertise on their team. It’s a tough jam to be in…and if May to August 2017 had been January to April instead, they may well have come out unscathed.
People doing their best and being honest
So, what I read into those papers is a group of people – the Board, the staff team – doing their best, being honest about their issues, trying to sort them out. It’s a tragedy that because it was too late that the people they are looking to serve will have suffered because of this gap.
Finger-wagging is irrelevant, discussions about patching software are not the issue. The relevant point is how we ensure a systemic improvement.
NHS boards must take responsibility for security risks
That NHS board should have specific requirements placed upon them to manage those risks, and the means in their team to do so. The team in the hospital should have, or have access to, a trained, registered and accountable professional who can assure the Board that their responsibilities are discharged (once they have). This should be routine.
Patients should be able to trust that this happens – and many will assume that’s what happens already.
Improvement happens by design
This does not happen by magic, it happens by design – and the Board and staff team addressing this issue in this and every other case did not have that framework of support and clarity of duties.
Many people working in the NHS in IT are absolutely heroic in their personal desire to be as good as they can, to make a difference as much as they can, to be true professionals. Yet those are the heroes, and they are unrecognised largely…and nobody can be sure who they are.
We need to see that system fix happen. Since the wannacry cyber-attack, we’ve been in a rapid and complex discussions with our security and health and care communities, as well as our wider stakeholders and partners who share our aims. We will see what comes of that…
27 May 2017 @ 20:31
It’s not just the quality of data security that needs to be thought about but the quality of the data itself, and it;’s not just a question of boards taking responsibility but also of boards being held to account. When there is a plane crash and an independent investigation takes place, there is total openness, honesty and transparency. That is the right approach. In my personal and honest opinion the quality of care provided by the NHS is second to none but NHS IT (including people’s health data) is in a dreadful mess.
1 June 2017 @ 14:24
There is a lack of accountability on all fronts and a failure by NHS organisations to put in place the necessary processes to close the loop. Many issues go undetected including data and clinical incidents. The issues we detect and manage today (when the NHS isn’t busy trying to bury them) is the tip of the iceberg.
Some are a direct result of incompetent IT. e.g. Late, delayed or cancelled appointments due to IT / record management issues or just shocking processes that allow patients and their care to slip through the cracks.
Having witnessed first hand the failings of the NHS and its inability to address these issues I think the Healthcare Safety Investigation Branch (HSIB) is a welcomed addition to the landscape. The question is will it have the authority/resources to address all the visible issues let alone those that the NHS is busy sweeping under the carpet.