Dr. Saif Abed talks about the WannaCry attack
The WannaCry or WannaDecryptor virus was a world-wide phenomenon, but the NHS was badly hit. Dr Saif Abed, a founding partner of the health IT consultancy AbedGraham, talks to Highland Marketing’s strategy and content director, Lyn Whitfield, about the events of last week and says a forensic inquiry should be held into what went wrong; so the NHS can deal with the clinical and patient risk issues it exposed.
Want more articles like this one?
HM blog posts, tips and advice
News in brief
NHS cyber-attack: A&Es ‘fully open’ again: Patients are no longer being diverted away from A&E units following the cyber-attack, NHS England has said. When the computer virus struck last week 47 trusts were affected and seven had to close their doors in A&E to ambulances, reported the BBC. Some routine surgery and GP appointments were also cancelled across the NHS in the aftermath. The ransomware program demanded a payment worth £230 to unlock the affected computers. Hackers wanted their payment in the virtual currency Bitcoin, which is harder to trace. At the time prime minister Theresa May said it was not an attack targeted at the NHS. She said it was an international attack with a number of countries and organisations affected. LMC leaders are calling for financial compensation as practices continue to struggle through IT shutdowns and backlogs following the cyber-attack, reported GPOnline. In most cases practices have been affected by having systems switched off by local NHS IT support as a precaution, or to enable patches or updates to be installed, rather than being infected with the ransomware directly. The home secretary revealed that 47 of the 248 NHS trusts in England were hit during the “major” cyber-attack. A further 13 NHS health boards in Scotland were also targeted in the attack, reported ITV News.
NHS spending as proportion of GDP ‘would fall under Tories and Labour’: The Conservatives’ manifesto suggests the NHS will receive some additional revenue funding in 2018-19, but that spending over the next five years would be broadly in line with previous commitments, reported the Health Service Journal (HSJ, subscription required). The party has pledged a minimum £8bn extra in real terms for the NHS by 2022-23, above 2017-18 spending, while committing to real terms per capita growth in every year. This effectively extends the principle provided for in the 2015 spending review by funding the Five Year Forward View for another two years. But it also suggests there will be extra revenue funding in 2018-19, because previous spending commitments would have resulted in a decrease in spending per person next year. However, it appears the new commitment, and therefore the ringfence around health spending, will continue to apply only to NHS England’s budget. Labour’s plans imply health spending would be £11.6bn higher in real terms by 2022-23, but would fall to 7.23 per cent of GDP, while the Liberal Democrat manifesto suggests spending would be £8.5bn higher, but fall to 7.07 per cent of GDP. Nigel Edwards, chief executive of the Nuffield Trust, said of the £8bn pledge: “It is unclear how much new money this represents, or exactly when it would come onstream. We do not yet know whether promises of upgrades for buildings and IT will be backed by new spending, (and) the pledge does not apply to the £13.5bn of health funding not held by NHS England.”
Labour softens stance on STPs in its final election manifesto: Labour has softened two of its key manifesto pledges relating to sustainability and transformation plans (STPs), watering down the involvement of patients in rewriting them and suggesting the process will be reviewed, rather than simply stopped. The final version of the manifesto appears to water down the hardline stance it took in a draft version leaked last week, reported the Health Service Journal (subscription required). The official document, published this week, said: “Labour will halt and review the NHS ‘Sustainability and Transformation Plans’, which are looking at closing health services across England.” Last week’s leaked version simply said a Labour government would “halt” STPs. On the involvement of patients, the party has also pledged to “ask local people to participate in the redrawing of plans with a focus on patient need rather than available finances”. The leaked version said that, if elected, Labour would “ask local health groups to redraw the plans with a focus on patient need rather than available finances.” However, The King’s Fund chief executive Chris Ham said even the more moderate proposals in the final version could hold back reconfiguration. He added: “The proposal to halt STPs risks holding back essential changes to services. Labour is right that there has so far not been nearly enough engagement with the public and patients and this needs to happen, but where the case for change has been made politicians should not stand in the way.”
STP success will be ‘extremely challenging’ to achieve on time and to budget: Delivering sustainability and transformation plans (STPs) under the current timeframe and to financial targets will be “extremely challenging”, president of the Royal College of Physicians (RCP) Professor Jane Dacre has warned. Speaking to National Health Executive, the RCP leader said that whilst STPs represented a good opportunity to drive reform in the NHS, delivering them to time and achieving targets looked set to be an uphill task. Prof Dacre’s warning follows a number of other health leaders revealing their scepticism about STPs. Dame Ruth Carnall, a trustee of The King’s Fund, stated that STPs represented a “workaround” to serious deficiencies in health and social care, although she added that STPs were also “the only show in town” with regards to effective integration. And chair of the College of Medicine Dr Michael Dixon also said at the beginning of the month that STPs were “totally aspirational”, and needed to be backed by proper funding and corporate governance to be successful. “STPs present well-evidenced cases for change, and propose novel and appropriate methodologies for achieving this. However, the pace of change required and the financial expectations are extremely challenging, with some STPs more likely to be successful in some parts of the country compared to other parts due to differences in financial risk, engagement, urgent and emergency care targets and the scale of change needed,” added Prof Dacre.
NHS care ‘among the worst in Europe’: The NHS is among one of the worst health care systems in Europe due to poor cancer investment, a major study has found. Britain has been ranked 30th in a global list of countries assessed for health care quality and access, lagging behind many of its European neighbours, reported The Telegraph. Professor Martin McKee, from the London School of Hygiene & Tropical Medicine, who co-led the study, said: “The UK has made consistent progress since 1990, but with a score of 85, it now lags behind many of its European neighbours, including Finland, Sweden, Spain and Italy, all of which have health systems very similar to the British NHS and so are most directly comparable. The gap between what the UK achieves and what it would be expected to, given its level of development, is also wider than in other western European countries.” It revealed Britain performed poorly in some areas which included some cancers, an outcome blamed on lack of investment in specialist care. US lead author Dr Christopher Murray, director of the Institute for Health Metrics and Evaluation at the University of Washington, said: “What we have found about healthcare access and quality is disturbing. Having a strong economy does not guarantee good healthcare. Having great medical technology doesn’t either. We know this because people are not getting the care that should be expected for diseases with established treatments.”
TechUK manifesto calls on next government to put strong focus on digital: Ahead of the general election next month, techUK has launched a digital manifesto calling on the next government to place digital at the heart of its economic policy, reported Computer Weekly. The document, entitled Inventing the Future: the techUK manifesto 2017, set out the trade body’s digital vision for 2020 and beyond. It stated a series of government policy recommendations covering five different areas, including making Brexit work for the tech industry, economic growth, building a smarter state, skills and jobs, and “guaranteeing a safe and secure digital world”. It also called on the government to increase its national cyber security budget by 10% to invest in public service security, and to support the development of cyber security tools and make the UK a world leader in the field. The recent WannaCry ransomware attack that hit the NHS and businesses highlighted the “ever-increasing cyber threat” the world faces, the manifesto said. “This shows the critical importance of maintaining the highest level of cyber defences,” it said, pointing out that the government’s current investment in cyber security was welcome, but that more was needed. “TechUK calls on the new government to provide a 10% increase in the total National Cyber Security Strategy budget to strengthen government and public sector ICT. This would equate to almost £200m in extra funding,” TechUK’s CEO Julian David said. “Digital security is ‘fundamental’ to the UK. That’s why techUK’s cyber proposals would triple the funding for protecting government ICT and securing online services based on the previous budget.”
NHS Wales ‘unaffected’ by cyber-attack due to strong IT defences: NHS systems in Wales were not hit by the major ransomware cyber-attack that impacted England and Scotland due to ‘resilience defences’ against viruses, the Welsh government has said. In a written statement, the Welsh first minister Carwyn Jones said that the “ransomware has not affected the integrity of NHS systems here in Wales, partly due to the resilience defences already in place”, reported Pulse. The statement said that “to continue to protect NHS Wales from disruption, a number of extra security controls have been put in place”, including “temporarily blocking all external emails sent to NHS Wales and applying new anti-virus definitions and patches to both national and local systems”. Jones stressed that where the ransomware has been detected, immediate remedial action has been taken to prevent the virus spreading. This has meant that “no patient data has been compromised or lost”. At the same time, a statement from Cardiff and Vale University health board said: “To date, digital services in NHS Wales have been unaffected. Additional security controls are being put in place to help prevent further attacks.”
HSE official says health an ‘easy target’ for cyber-attacks: It would be “relatively easy” for a cyber-attack to “cripple” entire sectors of state infrastructure, and more attacks are coming, according to the chief information officer with the Health Service Executive, Richard Corbridge, who addressed a group of 100 business leaders this week in relation to cybe rsecurity and the digital future of healthcare. He said attacks like the one that struck the HSE last weekend will recur, reported the Irish Times. “There will be more cyber threats,” he said. “There will be more issues. My own gut feeling is that health is now a target across the world because we can’t really afford to lose data. One country lost 60% of its GP records. That’s kind of terrifying. We’ve got to deal with this by explaining to people how relatively easy it is to cripple whole parts of countries. We took the decision to protect our clinical systems way above [the issue of] keeping people on email. But cyber threats are now here to stay. Unfortunately, health has now become a relatively easy target, which is a sad state of affairs.” The National Cyber Security Centre in the Department of Communications is the state agency charged with network and information security. A senior official there has said that progress was being made in shoring up key infrastructure, but it was uncertain how the state would fare in the event of a sophisticated attack. These announcements followed statements that HSE Ireland discovered more than 5,000 cyber attack attempts were made at single hospital in one day, reported Health IT Central.
NHS urged to consider Microsoft alternatives following cyber-attacks: In the wake of the international cyber-attacks, which caused widespread disruption across NHS organisations, a small team of developers is recommending the health service reduce its reliance on Microsoft. The NHS almost exclusively uses Microsoft operating systems, some of which – like Windows XP – are no longer officially supported, reported DigitalHealth.net. To demonstrate that there is a licence-free alternative, GP Marcus Baw and technologist Rob Dyke have adapted the open source Linux-based Ubuntu operating system specifically for the NHS. They call it NHSbuntu. Dyke said adopting NHSbuntu could form part of a strategy for better securing of legacy operating systems and key clinical applications. He described residual NHS use of XP, including in medical devices and diagnostic equipment, as a “critical liability” in some trusts. Baw said the system also had the potential to save the NHS millions in licence fees currently paid to Microsoft, and suggested open source alternatives could be particularly suited for administrative, non-clinical and back-office users. Adoption of NHSbuntu could also potentially help the NHS make more widespread use of cloud computing. Ubuntu is already the most widely used operating system for cloud-based applications. So far NHSbuntu is just a working prototype, though it is a fully functional, secure operating system. Baw said: “This is research and development work and not yet production-ready. We’re very keen to develop an open and inclusive NHSbuntu community, and have an open forum for NHSbuntu.”
CQC to beef up NHS information governance inspections: With the effectiveness of information governance (IG) in the NHS under question, it has emerged that the Care Quality Commission (CQC) will be strengthening its own IG assessments of NHS hospitals, reported Government Computing. The new CQC inspection regime is not specifically in relation to last week’s cyber-attack – the planned ‘beefing up’ was already underway – but the problems affecting NHS IT are likely to drive close questioning by CQC inspectors. The change in IG regime followed the CQC recently consulting on proposals for its future regulation of NHS hospitals, with the proposals planning to introduce a new “key line of enquiry” for inspectors to use to look more closely at “whether robust and appropriate information is being effectively processed and challenged”. It followed a commitment the CQC made as a result of its recent Safe Data Safe Care report to amend its inspection approach to ensure “appropriate internal and external validation against the new data security standards have been carried out”. The response to the consultation and updated inspection frameworks are expected to be published next month. A CQC spokesperson pointed out that the organisation’s role is to assess and report on the quality of providers’ services, and take action where required. She said: “As part of this we expect providers to have robust arrangements for identifying and managing risks to their services, including risks around information governance, data security and IT systems.”
Patient data shared with Google on ‘inappropriate legal basis’, says NDG: The transfer of almost two million patient records from Royal Free London NHS Foundation Trust to Google’s artificial intelligence arm DeepMind may have been co-ordinated on an “inappropriate legal basis”, the national data guardian, Dame Fiona Caldicott, has argued. In a letter leaked to SkyNews, Dame Fiona told Prof Stephen Powis, Royal Free’s medical director, that the decision to transfer data of 1.6 million patients to DeepMind as part of the testing stage of Google’s Streams app with the justification of “implied consent” from patients may not hold up after all, reported National Health Executive. She argued that when work is taking place to develop new technology, this “cannot be regarded as direct care, even if the intended end result when the technology is deployed is to provide direct care”. “Implied consent is only an appropriate legal basis for the disclosure of identifiable data for the purposes of direct care if it aligns with people’s reasonable expectations, ie in a legitimate relationship,” wrote Dame Fiona in the letter, dated 20th February. “When I wrote to you in December, I said that I did not believe that when the patient data was shared with Google DeepMind, implied consent for direct care was an appropriate legal basis.” Her letter, which formed part of her contribution to an investigation into the matter led by data watchdog the Information Commissioner’s Office, also raised fresh concerns about the confidentiality of data sharing in the NHS after last week’s mammoth hacking breach. In a statement, however, a spokesperson from Royal Free said the foundation trust used a “safety-first approach” in testing Streams – an app designed to prevent unnecessary deaths linked to acute kidney injuries – using real data.
Bolton delivers one of the largest PAS mergers: Bolton NHS Foundation Trust has merged its hospital and community patient administration systems (PAS), in one of the largest merges of its kind in the UK, reported DigitalHealth.net. The merge, which took place in May, combined 300 million rows of data and 60 million appointments. The trust was operating two PAS’s after it became a combined acute and community trust in 2011. Ken Bradshaw, deputy chief informatics officer at Bolton, said the process of merging was a major undertaking, and will provide significant benefits for both patients and staff, including improved quality of the patient data captured. “Having records spread over two systems frustrated our attempts of becoming an integrated organisation, so the biggest benefit is actually having a single patient record that covers our entire community and that’s what we’ve done”, Bradshaw said. “Having a single patient administration system has been a huge piece of work for the trust, but one that will act as a platform for future digital development work,” he added. The trust worked with NHS Digital and supplier DXC (formerly CSC) which has the contract for the trust’s acute hospital PAS. “Here in Bolton we’ve made significant developments to our systems and infrastructure recently in order to become more digitally mature, including desktop deployment so that our busy staff can log onto any machine in the trust in seconds,” Bradshaw said.
Why you shouldn’t weep over WannaCry
The hacking of the NHS was bad, but not that bad, says James Woudhuysen, visiting professor of forecasting and innovation at London South Bank University. He notes that we shouldn’t weep over WannaCry for various reasons, in an article in Spiked.
“Alarmist reactions only embolden hackers,” he says. “In fact, WannaCry hit only 16 of England’s 47 NHS Trusts. Even the tawdry NHS has computer back-ups.
“WannaCry is bad news, but it doesn’t deserve hysteria. It locked up data; it didn’t destroy data.
“It’s true that WannaCry has exposed the myopia of health minister Jeremy Hunt, as well as a British investment crisis that, even if it isn’t by any means the NHS’s only problem, is certainly one of them.”
He notes: “Accurate knowledge about a likely threat not only has to be acquired, it has to be understood, passed on and acted upon. As UK defence secretary Michael Fallon was forced to admit in relation to complacent NHS managers, ‘We warned them, and they were warned again in the spring’. But nothing happened.
“In his remarks about the warnings given to the NHS, Fallon was really trying to pass the buck to Hunt.
“If NHS chiefs are continually distracted by constant government reorganisations, as they are, it’s no wonder they can’t take in the latest mind-numbing memo about IT.”
Nobody should have to die because we didn’t apply a security patch…
The impact of recent cyber-attacks reiterates a need for a recognised cadre of accountable professionals working in NHS IT, writes David Evans in Government Computing.
Evans, the director of policy and community for BCS, The Chartered Institute for IT, writes: “If there was no such thing as clinical professionals, and it was just a case of a bunch of people employed by managers to deliver healthcare, would you like that? A statement that the hospital’s policy was to avoid killing you, but that a number of deaths was inevitable… would that reassure you?
“Of course not; we know what it means to have doctors and nurses who are themselves professionally accountable for your care. That accountability is part of a system that gives those individuals training and support beyond their day to day job roles, and where they can get together to work out how to improve what they all do – and expect to see the results universally applied.
“Not so for those working in IT and information security in the NHS.”
Evans says that though they do “amazing work” there is currently no structural way of IT staff ensuring that they know how to do the right thing. “There are basic functions that every doctor, every nurse, every pharmacist in the NHS can perform safely every day. Ensuring a level of safety, security and integrity amongst information and systems is just the same – it’s not rocket science, it’s basic discipline. It is certainly the case that cyber security practice evolves more quickly than fitting of a cannula, but keeping your systems patched and up to date as a basic process has not changed massively in the last 10 years.
“We need a visible, recognised cadre of accountable professionals working in IT in the NHS, and we need a visible, cadre of accountable professionals working in information security across the public and private sectors. Both having a cross-over, of course. We need those professionals to be self-governing, public-focused, but accountable individually and collectively to the public they serve. That’s why we have professional bodies.”