Thespread of the Mytob computer
virusat three hospitals run by Barts and The
London NHS Trust was entirely avoidable and caused by a substantive
failure of internal processes, Computer Weekly has
learned.
The virus took hold in Windows applications and spread by
forwarding itself to all e-mail addresses on infected
computers.
An independent report on what
Barts and The London
NHS Trust calls a "major incident" said that the virus attack
could have threatened the well-being of patients, the morale of
staff and the long-term reputation of the trust.
In the end there was no evidence that the safety of patients had
been compromised, according to a report by consultant Tony Rowe who
was commissioned by the trust to review management's response to
the incident.
His report will go before the trust's board today.
The trust says that although its anti-virus software was updated
daily it was incorrectly configured on some PCs. This left open a
back door through which the Mytob rapidly infiltrated the trust's
network of 4,700 PCs. Anti-virus software companies have known
about Mytob since 2005.
The review concluded that the incident was entirely avoidable -
there was a "substantive failure" of the Trust's information
governance processes "especially those operational processes in the
ICT [information and communication technologies] domain".
The virus was introduced accidentally. There was no specific
attack on the trust.
The trust's network was shut down while IT specialists checked
PCs one by one to ensure they were disinfected. Staff spotted the
effects of the virus on 17 November 2008.
A risk register maintained by Barts now includes a specific
rating for the threat of infection by a computer virus. Rowe's
review also identified a need for extra training for specific
staffing groups and a register of staff skills that would be useful
in an emergency.
The attack led to a "serious untoward incident" being reported
to NHS London, the capital's strategic health authority. Parts of
the network were down for two weeks and some patients were diverted
by ambulance to neighbouring hospitals.
Theatre operations were postponed, though they were immediately
rescheduled. Staff deferred patient appointments as doctors were
unable to make safe and effective clinical decisions because they
could not access diagnostic results on computers.
BT, the trust's local service provider under the
National Programme for IT
[NPfIT], provided a team of 40 to help disinfect each of the 5,000
PCs and monitor the network. All neighbouring trusts loaned staff
to help disinfect PCs at the three hospitals run by Barts.