NHS trusts in England have experienced over 1,300 hours – or around 55 days – of downtime as a result of IT outages in the last three years, according to a Freedom of Information (FoI) request.
Enterprise IT firm Intercity Technology sent an FoI request to 143 NHS trusts in England. Of the 80 that responded, 25 (31%) reported they had experienced outages across their IT systems between January 2015 to February 2018.
Of the 25 trusts, 14 identified security breaches as the underlying cause.
In total, trusts reported 18 security breaches over the past three years. This included the WannaCry ransomware attack as well as the Locky and Zepto viruses, which in the most serious cases knocked IT systems offline for as much as two weeks.
One trust – which was not named in the findings – experienced an average of one breach per year, while another revealed an incident in which two hospital wards were knocked offline for two hours, after an unauthorised device was plugged into the network.
Intercity Technology noted that some of the downtime reported by trusts was a result of IT systems being disconnected as a precautionary measure as the WannaCry ransomware spread between NHS trusts in May 2017.
Ian Jackson, chief commercial officer at Intercity Technology said: “NHS trusts across England are currently being pushed to the limit. It’s not surprising that they often don’t have the resources to dedicate 24/7 support to their IT systems, and the majority of these breaches could be an unfortunate consequence of this.
“Technology has proven to help facilitate the provision of care within the NHS, boost efficiencies and alleviate some of the strain on the system. However, if the benefits are to outweigh the potential risks, it’s important to ensure that there are sufficient resources, whether in-house or external, to continuously monitor the network and address any issues before they impact daily activity.”
In January, NHS trusts in Wales and Manchester suffered major network outages, the latter of which was caused by a glitch at two NHS Wales data centres.
14 July 2018 @ 15:47
Dave,
My response was based solely on the information (article) provided. I would not consider a planned/scheduled or preventive (Wannacry) downtime as disastrous. As you are aware, such activities have plan B (alternative access) for uninterrupted workflow and, in some cases, skeletal access to primary features and functionalities. Thanks
12 July 2018 @ 12:34
We never received the FOI, although saying that system performance is published publically each month so wouldn’t have responded directly to the questions. Aside from the points already made, does “downtime” also include scheduled? As if the answers to the question is taken purely from reporting solutions it doesn’t paint true picture. Nor does the binary question anyway…. if say one network switch is down, doesn’t mean your network is. But if you’re on that switch you aren’t connecting to the system but the system is up. Kind of pointless FOI. Good thing we don’t get lots of those. No. Wait.
12 July 2018 @ 09:11
Lots of interesting analysis but one point that stands out for me is “…an FoI request to 143 NHS trusts in England. Of the 80 that responded …”. So 63, or 44%, of trusts are still not responding to perfectly reasonable FOI requests for information that any well-managed Trust IT department should have to hand. It would be interesting to see a list of the 63 trusts and their reasons for not bothering or not being able to respond. With so many trusts not responding it does cast some doubt on the accuracy of the above analysis particularly if there might some correlation between trusts not responding to basic FOI requests and those having major IT downtime issues.
11 July 2018 @ 19:53
Unlike most industries, zero tolerance (uptime) is expected in the health industry. 0.07% (downtime) deficiency is high. Irreversible damages and lives can be lost within that window. There should be no room for error in Clinical Decision Support (CDS) and other clinically integrated (CI) processes. A life lost is one too many.
11 July 2018 @ 20:01
I don’t think it is really the case that this is unacceptably high. The general business of healthcare can go on even if systems are unavailable for short periods, and I think it would be difficult to attribute loss of life to brief periods of downtime.
Does any industry have 100% uptime all the time of all its systems? Even the aviation industry still has pilots, and there are well documented incidents where the systems have failed them
14 July 2018 @ 11:48
You are reading too much into this. The downtime included disconnection to the internet as a precautionary measure during the WannaCry incident. Most Trusts have on prem EPRs etc so clinicians would have had full access to essential services. If this factor were to be removed, we’d probably be looking at four nines levels of availability.
11 July 2018 @ 13:50
These sort of large scale mean averages don’t really tell us a great deal about what’s really happening out there. Investing in infrastructure is not very fashionable but it does make all the difference to staff experience of systems.
As per the last comment the numbers seem pretty good and I would be happy with 99.93% uptime – although actually I think our Trust is pretty much there anyway, unplanned downtime is a very rare occurrence indeed. When it has happened it has usually been a result of external factors beyond our control (eg the dreaded JCB digging through a power cable)
11 July 2018 @ 10:41
Hmmm let’s look at those figures objectively.
80 responses covering 3 years.
1,300 hours divided by 3 = an average of 433 hours per year.
433 divided by 80 = 5.41 hours per year average per Trust.
There are 8,760 hours in a non-leap year
(8,760 – 5.41} divided by 8,760 x 100 = 99.93% availability!
Your headline should actually read “FOI request shows that NHS Trust systems were available for over 99.93% of a three year period – despite WannaCry!!!
The figures actually tell a different story than the article – but knocking NHS IT seems to be a national sport.
The NHS still has a long way to go so far as cyber-security is concerned, but shroud-waving and cherry-picking statistics doesn’t help resolve the issues at hand but merely puts stress on people who are delivering a pretty reliable service.