Two months after a ransomware attack, many mental health trusts are unable to access crucial patient data
“This ongoing cyber incident has placed a huge burden on colleagues across Oxford Health, many of whom have worked considerably in excess of their contracted hours in order to deliver services.” Dr Nick Broughton, CEO, Oxford Health NHS Foundation Trust
Twelve mental health trusts are still struggling to gain access to electronic patient records (EPRs) after a cyber security attack on the NHS in August.
Trusts that use the CareNotes EPR software supplied by Advanced have been unable to access parts of their EPR systems since the ransomware attack on 4 August. Some of the systems affected by the attack will not be fully available again until 2023, according to a report in Digital Health.
The affected trusts are:
The attack has disrupted patient care, and some trusts are now implementing replacement EPR systems.
Some trusts initially switched to using Microsoft applications as a stop-gap, but have now decided to move to an alternative interim EPR supplied by RiO for at least 12 months. A source familiar with the incident told Digital Health that it was almost impossible to imagine trusts later returning to CareNotes.
When the ransomware attack happened, the NHS initially prioritised recovering the Initial Adastra system used by the NHS111 national emergency telephone support service. Most of it had been recovered by August 2022.
This has left mental health trusts still struggling, however. Community services, social care providers and care homes have also been disrupted.
An anonymous NHS digital leader told Digital Health that the now-unavailable EPR systems include “crucial data such as medication details for patients or details such as whether a patient is a potential danger to themselves and others.” The source said it was a “critical patient safety issue“ and that it had been “hugely disruptive.”
The source questioned why mental health trusts had not been given high priority and why the ongoing disruption from the attack was not a national news story. “You can’t help but think that if this was a group of acute trusts this would be getting national front-page coverage and would have been sorted by now,” they added.
NHS trust board papers from September make plain the extent of the disruption to NHS services. The September report of the CEO of Oxford Health NHS Foundation Trust to the board states: “This ongoing cyber incident has placed a huge burden on colleagues across Oxford Health, many of whom have worked considerably in excess of their contracted hours in order to deliver services.”
The September board papers at Camden and Islington state: “From early August, the Trust’s electronic patient record, known as CareNotes, has not been available. This is part of a wider national issue with the system provider, Advanced, being subject to a ransomware attack, which led to a national decision to suspend many of the systems it provides across the NHS and beyond. This incident has affected many other NHS organisations nationally and is being coordinated by NHS England at national level.”
The revelation that staff at 12 mental health trusts are still unable to access vital parts of their patient health records two months after a cyberattack is extremely worrying. At worst, it is putting the lives of patients in danger. This recent attack, along with the 2017 Wannacry attack, shows just how vulnerable the NHS is to attacks from malicious external agents. The NHS relies increasingly heavily on digital systems to record vital patient information, and it is essential that those systems are as secure as they possibly can be. The NHS is a fragmented organisation, with hundreds of trusts responsible for managing their own IT, and it is imperative that a strategy is put in place for making sure both that cyber security is robust and that there are good backup plans in place in case of failure.