The first step to getting help is admitting you have a problem

  • 23 May 2017
The first step to getting help is admitting you have a problem

I feel an upwelling of sympathy for Laura McCoy, information governance manager, and Matt Connor, head of IT, from Southport and Ormskirk Hospital NHS Trust, which was among the60-odd NHS organisations hit by the recent Wannacry cyber attack.

Last week Digital Health News reported that the trust had published a board paper on developing a cyber security action plan just days before being hit.

It’s their names who appear at the bottom of the “Cyber Security position statement and Action Plan May 2017” starting on page 20 of 169 in the board minutes.

Good idea, bad timing

The paper they presented was a good starting point, given where they were. Their plan to have a full review of legacy systems and patch management policy and processes up and running by August 2017 sounded like a good idea at the time. Too late, unfortunately.

We all have to start somewhere

Any organisation that suggests that they’ve never been in the same boat is either lying or delusional, for the simple reason that we all had to start somewhere.

I have no idea of the context, but somebody somewhere in that organisation decided to take cyber threats seriously, and act on it. The paper is honest about the exposure, and has tangible actions with dates on it. I’m not going to undertake a line-by-line critique or endorse their actions, but it is worth pointing out that they acknowledge they don’t have cyber security expertise on their team. It’s a tough jam to be in…and if May to August 2017 had been January to April instead, they may well have come out unscathed.

People doing their best and being honest

So, what I read into those papers is a group of people – the Board, the staff team – doing their best, being honest about their issues, trying to sort them out. It’s a tragedy that because it was too late that the people they are looking to serve will have suffered because of this gap.

Finger-wagging is irrelevant, discussions about patching software are not the issue. The relevant point is how we ensure a systemic improvement.

NHS boards must take responsibility for security risks

That NHS board should have specific requirements placed upon them to manage those risks, and the means in their team to do so. The team in the hospital should have, or have access to, a trained, registered and accountable professional who can assure the Board that their responsibilities are discharged (once they have). This should be routine.

Patients should be able to trust that this happens – and many will assume that’s what happens already.

Improvement happens by design

This does not happen by magic, it happens by design – and the Board and staff team addressing this issue in this and every other case did not have that framework of support and clarity of duties.

Many people working in the NHS in IT are absolutely heroic in their personal desire to be as good as they can, to make a difference as much as they can, to be true professionals. Yet those are the heroes, and they are unrecognised largely…and nobody can be sure who they are.

We need to see that system fix happen. Since the wannacry cyber-attack, we’ve been in a rapid and complex discussions with our security and health and care communities, as well as our wider stakeholders and partners who share our aims. We will see what comes of that…

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

East Sussex Healthcare selects Nervecentre for new EPR

East Sussex Healthcare selects Nervecentre for new EPR

East Sussex Healthcare NHS Trust has selected Nervecentre as its preferred supplier for an electronic patient record (EPR).
NHS England’s federated data platform: One year on

NHS England’s federated data platform: One year on

Many of the initial concerns about the FDP have proven unfounded one year after its launch, writes Matthew Taylor, CEO of NHS Confederation.
Data published online following data breach at Alder Hey

Data published online following data breach at Alder Hey

A major data breach of Alder Hey Children’s NHS FT's online systems has seen private information published online and shared via social media.

2 Comments

  • It’s not just the quality of data security that needs to be thought about but the quality of the data itself, and it;’s not just a question of boards taking responsibility but also of boards being held to account. When there is a plane crash and an independent investigation takes place, there is total openness, honesty and transparency. That is the right approach. In my personal and honest opinion the quality of care provided by the NHS is second to none but NHS IT (including people’s health data) is in a dreadful mess.

    • There is a lack of accountability on all fronts and a failure by NHS organisations to put in place the necessary processes to close the loop. Many issues go undetected including data and clinical incidents. The issues we detect and manage today (when the NHS isn’t busy trying to bury them) is the tip of the iceberg.

      Some are a direct result of incompetent IT. e.g. Late, delayed or cancelled appointments due to IT / record management issues or just shocking processes that allow patients and their care to slip through the cracks.

      Having witnessed first hand the failings of the NHS and its inability to address these issues I think the Healthcare Safety Investigation Branch (HSIB) is a welcomed addition to the landscape. The question is will it have the authority/resources to address all the visible issues let alone those that the NHS is busy sweeping under the carpet.

Comments are closed.