The Mytob virus has been removed from 5,000 PCs
atthree hospitals in London- but at a
cost.
Mytob has been one of the most disruptive - and possibly the
most disruptive - computer virus incidents within the NHS.
Computer Weekly has learned from a report by Charles Gutteridge,
the medical director at
Barts and The
London, that the virus outbreak was so disruptive the trust
reported a
Serious Untoward Incident [SUI] to NHS London, the capital's
strategic health authority.
But Gutteridge's report reveals mistakes that other
organisations can learn from. It provides a rare insight into what
happens in a large organisation when a virus takes hold, what
problems it causes, and the weaknesses in backup systems it
exposes.
The virus led to surgical procedures being postponed, trauma and
complex cases being transferred to other hospitals, and the use of
human "runners" to help with access to laboratory and x-ray
information.
Staff deferred patient appointments as doctors were unable to
make safe and effective clinical decisions because they could not
access diagnostic results on computers.
BT, the trust's local service provider
under the National Programme
for IT, provided a team of 40 to help disinfect each of the
5,000 PCs and monitor the network. All neighbouring trusts
including central London teaching hospitals provided staff to help
disinfect PCs at the three hospitals run by Barts. Even then the
network took two weeks to disinfect completely.
At one point an A&E team at Barts had to transfer to another
London emergency hospital at Newham to treat a trauma patient.
Mytob infected the trust's PC network at some point before 17
November. It took hold in Windows applications and spread by
forwarding itself to all e-mail addresses on the infected
computer.
There is no evidence that Mytob's virus-writers aimed
specifically at the trust - but experts say that once the virus
takes hold, it can send alerts to hackers. Criminals could
potentially gain access to confidential information on the network
if no preventative action were taken.
Gutteridge said the virus generated large volumes of network
traffic causing slow response times. Normal working became
impossible.
The virus led to most of the trust's applications becoming
inaccessible to clinicians including doctors working in pathology
and those needing access to the electronic x-rays from the
Picture Archiving and Communication System.
In response, the IT department switched off hubs that
distributed network messages to each PC. They also put in place
scripts to prevent infected PCs accessing the network. But these
proved ineffective when large numbers of staff tried to log in the
following morning, 18 November. The IT department shut down the
network.
Now there is a backlog of work because information recorded on
paper will need to be keyed into the trust's Cerner Care Record
Service systems which were supplied by BT under the National
programme for IT [NPfIT].
The incident shows that resilient IT systems - which are costly
- are becoming more critical to the normal running of hospitals.
Under the £12.7bn NPfIT, resilient systems are being provided - but
access to them is through trust networks which may lack resilience
and be susceptible to viruses if the latest security patches have
not been installed. The NPfIT will make hospitals even more reliant
on technology to treat patients and make appointments.
Gutteridge said, "The systems supporting and maintaining the
network have been shown to require urgent review and improvement.
As more and more patient-related data is only available on IT
systems, the need for resilience within the network becomes more
critical. It is clear that solving large-scale network
interruptions requires expertise and staff numbers which are beyond
the day-to-day ICT (information and communication technology)
resources of the trust."
He said his paper "highlights risks that need to be addressed as
part of the investigation of the incident".
The trust is due to publish a report on how the virus took hold
at its January meeting.
Why restoration of service took so long
A report by Charles Gutteridge, the medical director at Barts
and The London, explained why it took a long time to restore the
network at three London hospitals after the Mytob virus took
hold.
It took two weeks to restore normal working because:
• It was time-consuming to establish the diagnosis and an
effective script for removing the virus from individual PCs.
• Disinfecting PCs had to be done manually at individual
workstations as well as using remote methods controlled by the IT
department.
• Once the network was shut down it became difficult to assess
the extent of the infection and thus the resources necessary to
resolve it.
• It was time-consuming communicating actions to staff across
the dispersed sites.
• The re-introduction of PCs onto the network in larger numbers
or in groups destabilised the network when some of the machines
remained infected or were in the process of being cleaned.
• Although no safety incidents were recorded "it was clear that
working on manual requesting [of blood and x-rays] and reporting
systems introduced both real and perceived delays", said
Gutteridge.
Serious Untoward Incident
Barts and The London has reported a Serious Untoward Incident
[SUI] to NHS London, the capital's strategic health authority, in
part to ensure that ministers and others are briefed as
appropriate, and that lessons are learned by other
organisations.
An SUI is reported when something happens in a trust which is
unusual or unexpected and has the potential to cause serious harm
and is likely to attract the interest of the public and media. SUIs
are reported after the death of a patient in unusual circumstances
or the failure of an important service.
More
on the NPfIT in Tony Collins IT projects blog >>