The board of one of the worst hit trusts in the NHS cyber attacks had discussed its lack of plans to tackle a cyber security breach just days before last Friday’s attacks.
Southport and Ormskirk Hospital NHS Trust’s May board papers say “the trust does not have plans in place for what to do in the event of a cyber security attack”.
Digital Health News understands that neighbouring trusts, which thanks to prompt action on Friday, luck and a lot of hard work by staff over the weekend, were able to quickly recover, have been rallying around to lend staff, expertise and support to Southport, which been less fortunate.
In a statement issued on Wednesday, the trust’s chief operating officer Therese Patten said: “We reduced the number of planned services earlier in the week to ensure we continued to provide safe care for our patients. From tomorrow (Thursday) all our services are returning to normal and patients with appointments should now attend as usual. There may, however, be some delays in clinics and we apologise in advance for these.”
The attack, which has been attributed to a ransomware variant called WanaDecrypter, has caused widespread disruption in the NHS as trusts were either infected with the virus or switched off networks and external links to patch systems and prevent infection.
Southport and Ormskirk’s board meeting on 3 May listed “gaps” in the trust’s cyber security defences which included:
- No members of staff with specialist knowledge of cyber security
- No resources dedicated to cyber security or IT security
- There is a historical lack of executive oversight of cyber security
Friday’s attack exploited a known Windows vulnerability, in a range of Microsoft operating systems, patches for which have been available since March.
An action plan published in the board papers included developing a patching policy for Microsoft products, non-Microsoft products, mobile device management and legacy systems, which is due to be completed in August.
For the same deadline, it said the trust would identify and review all legacy systems across the trust.
The trust was due to produce a cyber security policy on how to respond to an attack by June.
While the attack was not targeted at the NHS, the ransomware caused chaos over the weekend and into this week with one in five trusts initially affected.
Alongside Southport and Ormskirk, Northumbria Healthcare NHS Foundation Trust and Barts Health NHS Trust continue to be affected.
— Barts Health (@NHSBartsHealth) May 17, 2017
Barts, the largest trust in England, have cancelled some planned operations and clinics for the seventh day in a row.
On Wednesday, 21 planned routine operations were postponed at Northumbria.
Pls keep A&E free for serious emergencies. Patients affected by disruption to services can contact us on the number below. Sincere apologies pic.twitter.com/PxiPx7QQ3s
— NorthumbriaNHS (@NorthumbriaNHS) May 17, 2017
Southport and Ormskirk’s board papers also said that while the trust receives weekly CareCert Alerts from NHS Digital, “there is currently no formalised process about how these are actioned”.
The paper also published the results of a cyber security review that was conducted in February at the trust, from which it developed its action plan, along with the IT team.
The review found patch management as “control partially implemented” and malware protection as “control fully implemented”, amongst its findings.
The paper discussed issues with awareness amongst staff trust with a 2011 review finding that staff were fooled by fake e-mail phishing attack, on-site attacks and remote telephone attacks.
“There is no specific cyber security training that staff undertakes [sic] at present in the trust”, the paper said, however there was a more robust publicity campaign planned.
In an ominous conclusion, Southport and Ormskirk said “it is not unlikely that the trust could be targeted for an attack in the near future”.
The trust declined to comment for the story.