The board of one of the worst hit trusts in the NHS cyber attacks had discussed its lack of plans to tackle a cyber security breach just days before last Friday’s attacks.
Southport and Ormskirk Hospital NHS Trust’s May board papers say “the trust does not have plans in place for what to do in the event of a cyber security attack”.
Digital Health News understands that neighbouring trusts, which thanks to prompt action on Friday, luck and a lot of hard work by staff over the weekend, were able to quickly recover, have been rallying around to lend staff, expertise and support to Southport, which been less fortunate.
In a statement issued on Wednesday, the trust’s chief operating officer Therese Patten said: “We reduced the number of planned services earlier in the week to ensure we continued to provide safe care for our patients. From tomorrow (Thursday) all our services are returning to normal and patients with appointments should now attend as usual. There may, however, be some delays in clinics and we apologise in advance for these.”
The attack, which has been attributed to a ransomware variant called WanaDecrypter, has caused widespread disruption in the NHS as trusts were either infected with the virus or switched off networks and external links to patch systems and prevent infection.
Southport and Ormskirk’s board meeting on 3 May listed “gaps” in the trust’s cyber security defences which included:
- No members of staff with specialist knowledge of cyber security
- No resources dedicated to cyber security or IT security
- There is a historical lack of executive oversight of cyber security
Friday’s attack exploited a known Windows vulnerability, in a range of Microsoft operating systems, patches for which have been available since March.
An action plan published in the board papers included developing a patching policy for Microsoft products, non-Microsoft products, mobile device management and legacy systems, which is due to be completed in August.
For the same deadline, it said the trust would identify and review all legacy systems across the trust.
The trust was due to produce a cyber security policy on how to respond to an attack by June.
While the attack was not targeted at the NHS, the ransomware caused chaos over the weekend and into this week with one in five trusts initially affected.
Alongside Southport and Ormskirk, Northumbria Healthcare NHS Foundation Trust and Barts Health NHS Trust continue to be affected.
Our latest statement (3.45pm, Wed 17 May) on IT disruption following #NHSCyberAttack: https://t.co/5nI0QDfc6r
— Barts Health (@NHSBartsHealth) May 17, 2017
Barts, the largest trust in England, have cancelled some planned operations and clinics for the seventh day in a row.
On Wednesday, 21 planned routine operations were postponed at Northumbria.
Pls keep A&E free for serious emergencies. Patients affected by disruption to services can contact us on the number below. Sincere apologies pic.twitter.com/PxiPx7QQ3s
— NorthumbriaNHS (@NorthumbriaNHS) May 17, 2017
Southport and Ormskirk’s board papers also said that while the trust receives weekly CareCert Alerts from NHS Digital, “there is currently no formalised process about how these are actioned”.
The paper also published the results of a cyber security review that was conducted in February at the trust, from which it developed its action plan, along with the IT team.
The review found patch management as “control partially implemented” and malware protection as “control fully implemented”, amongst its findings.
The paper discussed issues with awareness amongst staff trust with a 2011 review finding that staff were fooled by fake e-mail phishing attack, on-site attacks and remote telephone attacks.
“There is no specific cyber security training that staff undertakes [sic] at present in the trust”, the paper said, however there was a more robust publicity campaign planned.
In an ominous conclusion, Southport and Ormskirk said “it is not unlikely that the trust could be targeted for an attack in the near future”.
The trust declined to comment for the story.
18 May 2017 @ 19:49
So tell me how you can have a plan for what happened the other day ? You’d be rewriting the thing at the same time as trying to solve the problem. What you need is measures in place and good people.
There is an element of loading the blame gun in these posts. I should point out that this could have been a whole lot worse without the actions of some people who others would choose to blame.
Get off that bandwagon.
19 May 2017 @ 12:09
Searching questions need to be asked as to why these organisations and not others. They were doing something differently. Local decisions, processes and technology evidently play a role and ultimately the local organisation must be accountable for the decisions it makes.
If you maintain a building site and someone comes to harm as a result of your failure to put in basic safety measures, you are liable.
If you failed to understand the requirements or worse misrepresented the real situation (tantamount to fraud), you are liable.
We’re talking about patients lives here and there have to be lessons learnt and someone who is accountable. If there isn’t then this is a very grave situation for patients.
19 May 2017 @ 13:37
Dave, I can understand where your coming from and have a lot of respect for IT support working hard hours this last week but it was preventable.
I don’t understand your comment about not being able to plan for this? Clearly a large number of trusts had planned and taken action to prevent this attack.
18 May 2017 @ 10:52
A quick check of the IG Toolkit submissions made by the Trust for the 15/16 and 16/17 assessments made interesting reading. For the last two years all the Information Security requirements were self-certified at L2…
18 May 2017 @ 14:17
Many hospitals don’t even have the resilience to handle simple upgrades. It took one hospital a week to produce some discharge notes because the system was upgraded.
It’s ironic that many IT procurement’s the NHS puts out mandate ISO 27001 , 9000, etc certification. It makes little or no difference if the hospital isn’t up to speed. Security is a whole system picture from local staff to processes, infrastructure to COTs.
I’ve said it before and I will say it again we need local accountability otherwise IGSoC isn’t worth the paper it is written on.