The content of this website is intended for healthcare professionals only

Previous Posts

1 2 3  > 

Your files are locked

Hard-wired GP

Luke Koupparis

Wednesday, 28 June 2017

computer_shutterstock_667763311.jpgThe recent WannaCry cyber-attack on the NHS caused it to grind to a halt with many users told to power down their PCs through fear of the virus spreading and demanding a ransom to unlock important files. Hospitals and GP surgeries throughout the country had to turn away patients and cancel appointments or even operating lists.

We have all been told not to click on links within emails that we don’t recognise and many staff are getting much better at recognising the offending messages; “Your account has been suspended” or “HMRC need to urgently speak to you about a tax refund” are just two common examples.

However, the new malware attacks seem to be exploiting holes within the operating system. The latest cyber-attack seemed to hit machines that had not patched their windows operating system. WannaCry exploited a vulnerability in Microsoft, which released a patch to fix it in March 2017. However, many NHS organisations hadn’t installed updates on their computers for some time, causing this security hole to stay open.

But where do these viruses originate from? What is interesting is that government agencies across the world may have contributed or even provided the building blocks for the attack. Following last month’s WannaCry outbreak, some of the blame was directed at US intelligence agencies the CIA and the National Security Agency (NSA) who were accused of “stockpiling” software code which could be exploited by hackers. This software was allegedly leaked by a hacker group calling themselves “The Shadow Brokers” into general circulation, allowing anyone to use it as a weapon.

In our area, we escaped relatively unscathed which was a huge relief. This was down to our excellent IT teams who patch our machines remotely with key updates, as and when they are released. However, despite the possible chaos that an attack can cause, I still hear staff members complaining about their computers being updated and restarted and how this is a real annoyance to their day. Possibly, unless you have been affected by a serious computer virus or malware attack, you may see this requirement to update as a mere annoyance sent to cause havoc to your day.

But, in our digital life, as in the NHS, we want smooth, fast transactions. Many patients now assume their notes to be available both in out-of-hours as well as when they attend secondary care for appointments. Many accept that there is information transfer between hospitals and GP surgeries and this is done quickly as soon as a referral is indicated. Our clinical systems are increasingly cloud based and soon many patient documents will be held within the cloud, facilitating closer working in systems such as those offered by GP clusters, delivering extended-hours care.

However, the public has little tolerance of clinical data that has been lost. It was revealed in February that thousands of documents containing medical notes, test results and treatment plans were put into storage for years by mistake. A recent National Audit Office report found this led to around 1,700 cases of potential harm caused to patients. The BMA came out to say the failures made by NHS SBS relating to delays and mislaid clinical correspondence were “a disgrace” and called on the government to ensure such a situation never happened again.

So, surely we cannot have it all ways? If we wish to have information available to clinicians when a patient presents, then staff working within the NHS must accept the inconvenience of computers being kept secure. Patients will also expect this to be hard wired into the NHS so they can be secure in the knowledge that their personal clinical information is safe. There will always be people who feel we should stick with local, paper based records and opt-out of any data sharing. But, are these patients putting their health at risk for example if they are admitted to hospital and unable to give staff clear background medical information? Possibly.

The NHS is trying to fight back and empower staff to protect themselves. NHS Digital is offering support to many NHS organisations to undertake cyber-security testing and also by providing training for healthcare staff to ensure they know how to keep secure in an increasingly digital world.

What is clear is that cyber-crime and malware is a part of our daily life. We cannot be complacent to the security challenges that we face within the NHS. There will always be a risk posed by human-error and this must be mitigated as much as possible by regular training. Perhaps we need to think about cyber-safety training as do for resuscitation teaching, and have annual face to face sessions mandatory for all staff. However, with the fast-paced internet driven world we now live in, this may not be enough to protect us from further attacks.

Author's Image

Luke Koupparis

Luke is a general practitioner in the Bristol area with interests in men's health, child health, minor surgery, online education and medical information technology. He is the IT lead for Bristol clinical commissioning group, LMC representative and chair of the locality provider group. He also works as the medical editor to OnMedica helping to deliver high quality, peer reviewed information to the wider medical community. In his spare time he is a keen road cyclist and likes to ski with his children.
Registered in England and Wales. Reg No. 2530185. c/o Wilmington plc, 5th Floor, 10 Whitechapel High Street, London E1 8QS. Reg No. 30158470