Jackie Sullivan, Director at Royal London Hospital at Barts Health, together with Sarah Jenson – Chief Information Officer at Barts Health, provided a presentation on the cyber attack which took place on 12 May 2017 at the NHS Trust.   The presentation covered the following points:

·         That the virus was initially discovered in the x-ray machine, followed by more calls received indicating that PCs were also defective.

·         Newham was the first site, within Barts Health, to be affected.

·         A decision was made to shut down all technology to protect neighbouring providers and NHS systems.

·         Work undertaken to segregate networks and to schedule engineer visits.

·         Service areas within Barts Health were prioritised, for example, restoring the stroke and heart centres were first priority.

·         The difficulty presented by the high level of media scrutiny and presence. 

·         Systems were largely restored by 24 May 2017.  Since that date significant work was undertaken on recovery plans.

·         The fact that the cyber attack was treated as a London-wide major incident, as when trauma centres were closed, increased pressure was put on other trauma centres.

·         There were 120 in-patient cancellations, which all would be re-booked and seen before the end of July 2017.

·         The fact that imaging was an area of concern as, since the attack, waiting times had increased from 6 weeks to 12 weeks.

·         That the NHS Trust was vulnerable to the cyber attack due to a Microsoft Windows vulnerability as all medical equipment ran on a Windows operating system. 

Members then asked questions on points of detail.

The Chair asked what arrangements had been put in place to provide protection from such attacks in the future.  Ms Jenson said that there was no guarantee that such an incident would not occur again, nor that the anti-virus protection would release a security to prevent future similar incidents.  She also stated that it was unknown whether the NHS Trust would recover more quickly from such incidents in the future.  She added that relevant staff were looking into how the Trust could recover more quickly in the future.  Ms Sullivan referred to the many positives, including the innovative workarounds that allowed staff to provide a service, such as burning discs in order to view images and the improved performance of many staff members – as there were no computers, staff had to verbally communicate with each other.  She added that the Trust had learnt from the experience and referred to the Trust’s absolute commitment to patient care.  She referred to a Harm Review which was being undertaken to ensure that the incident had not indirectly caused harm to any patients.

Councillor Chesterton asked whether there were significant financial costs as a result of the attack.  Ms Jenson confirmed that the exact costs were still being calculated.  She added that the Trust had needed specialist helps with some areas, which was expensive.  Councillor Chesterton asked that when the calculations were complete that they were fed back to the Committee as it was important to know the financial consequences of the cyber attack.  Ms Sullivan explained that it would be difficult to provide exact figures.  She pointed out that there had been a lot of good, which would be difficult to put a valuation on.  She confirmed that with regard to the large costs, they could provide details. 

Councillor Chesterton pointed out that there was a cost to not investing in the future and suggested upgrading systems by purchasing technology that was at less risk to attack.  Ms Jenson explained that none of the systems used by her teams were affected as they shut everything down.  She confirmed that of the 12,000 PCs approximately 7% were infected.

Councillor Jones asked whether costs could be recovered through insurance.  She also said she was pleased to see that patients’ individual notes would be available when they moved home or changed surgeries.  Ms Jenson said that it was the intention to move away from paper files.  She added that insurance had not been considered and that it was something they would look into.  Mr Simon Hall, NHS Tower Hamlets Clinical Commissioning Group, said that with the issue of notes, they were trying to take a more joined up approach.  He stressed the importance of continuity of care and patients’ having access to their notes.  He added that GPs are linked in the London Borough of Tower Hamlets.  Referring to the cyber incident, Mr Hall said that it was important to find more sophisticated ways of communicating, giving the example of staff using whats app while emails were down. 

David Burbidge, representative of Healthwatch Tower Hamlets, pointed out that operations had been cancelled before the cyber attack and that Barts had been operating on a 17 year old system.  He stated that there had been no investment in IT and referred to the fact that a brand new hospital with brand new computers was relying on old software.  He gave the example of patients turning up to appointments that had been cancelled, of which they had received no notification.  He asked whether more could have been done.  Ms Jenson explained that there was a complex layer of technologies and stated that servers and x-ray machines were not supported by Microsoft. 

Mr Burbidge also referred to the money which patients spent on travelling to relevant appointments and that those in receipt of benefits had a statutory right to claim expenses.  He said that a common complaint was that the fact that expenses were available to be claimed was information that was not made as available as it could have been.  Ms Sullivan explained that all relevant data on patients were not available due to computer access issues.  She confirmed that they contacted who they could but did not know who they were expecting.  She referred to the fact that messages were posted on social media sites.  She said that surgeries were cancelled as they did not have access to blood work or imaging, so undertaking surgeries would have been dangerous.  Ms Sullivan said that most surgeries were cancelled within 3 days of the cyber attack. She also referred to the problems experiences by dental surgeries, which rely on imaging.

Maternity Unit

The Chair asked for an update on the maternity unit at the Royal London Hospital. 

Ms Sullivan made the following points:

·         That the maternity unit was completed in April 2016. 

·         The unit was then inspected by the Care Quality Commission (CQC) in July 2016 and found the unit to be inadequate, particularly around being safe and well led.  

·         That since that finding, a Maternity Partnership Board had been set up which had its first meeting in November 2016. 

·         The Board was well-represented and included Councillor Clare Harrisson, representatives from CCG and patients.

·         The main themes that the Board focussed on were culture, partnership working and security of the unit.

·         Recruitment of midwives was a challenge, but fill rate had increased from 84% to 90%.

·         The appointment of a maternity matron and the difference the appointment had made to the unit.

·         The work undertaken with mothers – many wanted their partners to stay at the unit.  There were concerns about how other mothers would feel about.  A system was being trialled for 3 months, which will be reviewed by the Maternity Partnership Board.

·         Due to criticism received that fathers did not feel involved, a “Dad’s Club” had been set up.

·         Feedback suggested the maternity unit has improved – feedback cards are being improved to provide more pertinent information. 

·         Work is undergoing around observing practices and feeding back to relevant teams.

·         Mindfulness sessions were being given to staff.

·         Team talks provided for staff to keep them engaged.

·         Posters have been produced in 11 languages to inform people how and where to get help. 

·         That there had been issues around the security of the unit.  The CQC had identified instances where the required two labels on babies in the unit were not in place.  As a result, daily checks have been introduced and labels had been re-designed so that they were softer on the skin. 

·         The Trust’s Abduction Policy was not being tested and many members of staff were not aware of the policy. Knowledge of the policy was now being tested and changes and outcomes were logged.

·         CQC visited unannounced and gave positive feedback, including improved staffing levels.

·         A recruitment drive to employ local people through Strategic Partnership Board and to employ more young people through apprenticeship schemes. 

Councillor Chesterton pointed out that the opening of the maternity ward was cancelled due to the cyber attack and asked whether there were plans to reschedule.  Ms Sullivan confirmed that there were plans to reschedule and stated that given the situation they were in during the cyber attack, it did not seem appropriate to proceed with the ward’s opening.

The Chair described the work undertaken to improve the maternity unit as impressive and looked forward to a detailed report to be submitted to the Committee in autumn.