How Mytob caused havoc in the NHS

The Mytob virus has been removed from 5,000 PCs at three hospitals in London - but at a cost.

The Mytob virus has been removed from 5,000 PCs at three hospitals in London - but at a cost.

Mytob has been one of the most disruptive - and possibly the most disruptive - computer virus incidents within the NHS.

Computer Weekly has learned from a report by Charles Gutteridge, the medical director at Barts and The London, that the virus outbreak was so disruptive the trust reported a Serious Untoward Incident [SUI] to NHS London, the capital's strategic health authority.

But Gutteridge's report reveals mistakes that other organisations can learn from. It provides a rare insight into what happens in a large organisation when a virus takes hold, what problems it causes, and the weaknesses in backup systems it exposes.

The virus led to surgical procedures being postponed, trauma and complex cases being transferred to other hospitals, and the use of human "runners" to help with access to laboratory and x-ray information.

Staff deferred patient appointments as doctors were unable to make safe and effective clinical decisions because they could not access diagnostic results on computers.

BT, the trust's local service provider under the National Programme for IT, provided a team of 40 to help disinfect each of the 5,000 PCs and monitor the network. All neighbouring trusts including central London teaching hospitals provided staff to help disinfect PCs at the three hospitals run by Barts. Even then the network took two weeks to disinfect completely.

At one point an A&E team at Barts had to transfer to another London emergency hospital at Newham to treat a trauma patient.

Mytob infected the trust's PC network at some point before 17 November. It took hold in Windows applications and spread by forwarding itself to all e-mail addresses on the infected computer.

There is no evidence that Mytob's virus-writers aimed specifically at the trust - but experts say that once the virus takes hold, it can send alerts to hackers. Criminals could potentially gain access to confidential information on the network if no preventative action were taken.

Gutteridge said the virus generated large volumes of network traffic causing slow response times. Normal working became impossible.

The virus led to most of the trust's applications becoming inaccessible to clinicians including doctors working in pathology and those needing access to the electronic x-rays from the Picture Archiving and Communication System.

In response, the IT department switched off hubs that distributed network messages to each PC. They also put in place scripts to prevent infected PCs accessing the network. But these proved ineffective when large numbers of staff tried to log in the following morning, 18 November. The IT department shut down the network.

Now there is a backlog of work because information recorded on paper will need to be keyed into the trust's Cerner Care Record Service systems which were supplied by BT under the National programme for IT [NPfIT].

The incident shows that resilient IT systems - which are costly - are becoming more critical to the normal running of hospitals. Under the £12.7bn NPfIT, resilient systems are being provided - but access to them is through trust networks which may lack resilience and be susceptible to viruses if the latest security patches have not been installed. The NPfIT will make hospitals even more reliant on technology to treat patients and make appointments.

Gutteridge said, "The systems supporting and maintaining the network have been shown to require urgent review and improvement. As more and more patient-related data is only available on IT systems, the need for resilience within the network becomes more critical. It is clear that solving large-scale network interruptions requires expertise and staff numbers which are beyond the day-to-day ICT (information and communication technology) resources of the trust."

He said his paper "highlights risks that need to be addressed as part of the investigation of the incident".

The trust is due to publish a report on how the virus took hold at its January meeting.


Why restoration of service took so long

A report by Charles Gutteridge, the medical director at Barts and The London, explained why it took a long time to restore the network at three London hospitals after the Mytob virus took hold.

It took two weeks to restore normal working because:

• It was time-consuming to establish the diagnosis and an effective script for removing the virus from individual PCs.

• Disinfecting PCs had to be done manually at individual workstations as well as using remote methods controlled by the IT department.

• Once the network was shut down it became difficult to assess the extent of the infection and thus the resources necessary to resolve it.

• It was time-consuming communicating actions to staff across the dispersed sites.

• The re-introduction of PCs onto the network in larger numbers or in groups destabilised the network when some of the machines remained infected or were in the process of being cleaned.

• Although no safety incidents were recorded "it was clear that working on manual requesting [of blood and x-rays] and reporting systems introduced both real and perceived delays", said Gutteridge.


Serious Untoward Incident

Barts and The London has reported a Serious Untoward Incident [SUI] to NHS London, the capital's strategic health authority, in part to ensure that ministers and others are briefed as appropriate, and that lessons are learned by other organisations.

An SUI is reported when something happens in a trust which is unusual or unexpected and has the potential to cause serious harm and is likely to attract the interest of the public and media. SUIs are reported after the death of a patient in unusual circumstances or the failure of an important service.

More on the NPfIT in Tony Collins IT projects blog >>

Read more on Antivirus, firewall and IDS products