No surprises as WannaCry dominates cybersecurity talks at EHI Live

Healthcare executives drove home the need to adopt new ways of working to protect themselves against cyber-threats during the first day of EHI Live 2017.

Speaking at the event, Charles Gutteridge, chief clinical information officer (CCIO) of Barts Health NHS Trust and Matthew Connor, head of IT at Southport and Ormskirk NHS Trust, shared their experiences of the WannaCry ransomware outbreak which caused widespread disruption to England’s health services in May.

Both trusts fell victim to the attack, which affected some 200,000 IT systems world-wide including more than a third of England’s NHS trusts.

Gutteridge took to the stand at the exhibition at Birmingham’s NEC to discuss the need to bridge the gap between technical and clinical working methods and develop “a single system of healthcare delivery” that was safer and more efficient than current models.

He also suggested there needed to be more direct contact between healthcare boards and vendors to improve education around new technologies and the improvements they can deliver.

“The NHS as customers still have a lot to learn about developing partnerships with vendors, where both sides can benefit around the strategic delivery or hardware and software”, Gutteridge said.

“I think we’re still in a twilight world about what we can do about delivering our infrastructure plans. We’re still waiting on what the plans are for releasing extra resources. This is a very significant issue for us”.

For many in the NHS, WannaCry was the catalyst that drove home just how desperately the healthcare industry needed to modernise and align its attitudes towards new technologies with those of other industries.

Yet despite the need for seismic cultural changes, Gutteridge suggested that the WannaCry outbreak had had the opposite effect at Barts Health NHS Trust. “Every time we have one of these events, the trust’s confidence in healthcare IT wanes, and it takes a lot of time to recover,” he said.

The CCIO added that the cyber-attack had shaken clinicians’ confidence in electronic health records (EHR). “Big hairy groups of clinicians said :‘I am never going to use an EHR again, it’s too unsafe’…when you introduce an EHR into a trust, most clinicians think all patients will die if it all gets virtualised. We have a new culture where people are both dependent and secret enthusiasts of the system, but the tension remains.”

Gutteridge offered that front-line staff could be key to driving the much-needed cultural changes within the NHS, and help identify exactly where improvements can be made to increase resilience to cyber-threats.

“We’ve learnt a lot about listening to front line staff, particularly junior doctors, about what does and what does not work. It’s surprising how inventive young doctors and nurses are. Sometimes the ideas are great and sometimes terrible, but dealing with that….is a really important part of it.”

But unless these voices are heard and actioned upon at board-level, that road to revolution could be a long one. “Convincing boards to take a risk in investing in IT and getting a return three-and-a-half years later down the road is a skill we have to work on, on both sides”, said Gutteridge.

“Without that understanding of how you can transform care and make it safer and more efficient, we’re not going to make them change.”

Meanwhile, Southport and Ormskirk NHS Trust’s head of IT said that healthcare organisations needed to confront the ‘it didn’t happen to us’ mentality and instead be proactive about building resilience, including seizing the opportunity to get involved with cybersecurity training programmes.

“At some point we will be asked to dig deep and assess the impact and decision-making guidelines,” he added. “It’s not an option not to invest. We need to address the culture”.