Security Incident in Three London Hospitals Was Entirely Avoidable

An independent security audit commissioned by The Barts and The London NHS Trust after its network was heavily infested by the Mytob worm, has concluded that the incident could have easily been avoided, and outlines the failure of the IT operational processes.

Back in November, operations at the Royal London Hospital, St. Bartholomew’s Hospital (Barts), and the London Chest Hospital, all part of the same NHS (National Health Service) Trust, were seriously affected after a worm, later identified as Mytob, rapidly spread on their networks.

The incident forced the Trust to activate emergency procedures and divert incoming ambulances to other hospitals in the area, while several non-urgent appointments, which involved transportation, had been postponed. The IT staff needed several days to restore critical computer systems, and about two weeks to clean all the affected ones.

Even so, “The Trust maintained a safe environment for its patients and was able to keep its theatres and outpatients clinics operational throughout the incident,” the report notes, adding that “There was no unauthorised access to patient information, and the virus had no impact on the Trust’s electronic Care Records Service.”

The independent review performed by Tony Rowe, a security consultant specializing in Major Incident Management and Emergency Planning, concludes that “There was a ‘substantive failure’ of the Trust’s information governance processes.” More precisely, while the anti-virus software was generally updated daily, this did not happen on some computers where the security application was not properly configured.

The review also states that the worm made its way on the network, which counted around 4,900 PCs, by accident and not by malicious intent. As a result, several recommendations were made to the Trust Board. These included staff training, command and control arrangements and facilities, and drafting of additional Control Room documentation.

Phil Jones, director of ICT and Kay Riley, chief nurse, point out in the report that “The review contains details that need to be shared with the board and more widely within the organisation, but would risk compromising security if they were released publicly.”

The fact that the incident did not compromise the well-being of patients, staff morale or the Trust's reputation, “reflects positively on the ability of personnel in all parts of the Trust to be reactive and flexible in rising to the very considerable challenges,” the review also underlines.