The spread of the Mytob computer virus at three hospitals run by Barts and The London NHS Trust was entirely avoidable and caused by a substantive failure of internal processes, Computer Weekly has learned.
The virus took hold in Windows applications and spread by forwarding itself to all e-mail addresses on infected computers.
An independent report on what Barts and The London NHS Trust calls a "major incident" said that the virus attack could have threatened the well-being of patients, the morale of staff and the long-term reputation of the trust.
In the end there was no evidence that the safety of patients had been compromised, according to a report by consultant Tony Rowe who was commissioned by the trust to review management's response to the incident.
His report will go before the trust's board today.
The trust says that although its anti-virus software was updated daily it was incorrectly configured on some PCs. This left open a back door through which the Mytob rapidly infiltrated the trust's network of 4,700 PCs. Anti-virus software companies have known about Mytob since 2005.
The review concluded that the incident was entirely avoidable - there was a "substantive failure" of the Trust's information governance processes "especially those operational processes in the ICT [information and communication technologies] domain".
The virus was introduced accidentally. There was no specific attack on the trust.
The trust's network was shut down while IT specialists checked PCs one by one to ensure they were disinfected. Staff spotted the effects of the virus on 17 November 2008.
A risk register maintained by Barts now includes a specific rating for the threat of infection by a computer virus. Rowe's review also identified a need for extra training for specific staffing groups and a register of staff skills that would be useful in an emergency.
The attack led to a "serious untoward incident" being reported to NHS London, the capital's strategic health authority. Parts of the network were down for two weeks and some patients were diverted by ambulance to neighbouring hospitals.
Theatre operations were postponed, though they were immediately rescheduled. Staff deferred patient appointments as doctors were unable to make safe and effective clinical decisions because they could not access diagnostic results on computers.
BT, the trust's local service provider under the National Programme for IT [NPfIT], provided a team of 40 to help disinfect each of the 5,000 PCs and monitor the network. All neighbouring trusts loaned staff to help disinfect PCs at the three hospitals run by Barts.