NHS cyber attack hits patient care with records left in ‘chaos’ three months on


Patient care is still being undermined at NHS mental health trusts and social care providers that were hit by a major cyber attack in August, doctors have warned.

Three months after the major attack wiped out NHS systems, patients’ records are missing, safety has been compromised, and medication doses are at risk of being missed amid ongoing “chaos”, i has been told.

Dr Andrew Molodynski, mental health lead at the British Medical Association, said the prolonged systems failure has damaged care because records are “integral to patients’ safety”.

Mental health patients’ records and safeguarding alerts have not been available in some trusts since 4 August, when NHS software provider, Advanced, was hit by a ransomware attack which targeted its Carenotes records system.

The August attack has been the most disruptive cyber security incident on the health service since WannaCry ransomware attack in May 2017 which disrupted 80 NHS trusts and 603 NHS organisations, including 595 GP practices.

A total of 12 NHS mental health trusts have been impacted by the cyber attack, potentially impacting tens of thousands of patients as well as social care providers.

According to Advanced’s own hazard log spreadsheet, seen by i, the risks associated with disruption to its server include “medication doses missed”, “required number of carers not met”, “basic needs not met, such as nutrition and personal care”, and “health needs not met, such as wound care and physical support”.

Advanced said: “We recognise that the restoration process has taken longer than we had initially anticipated and we have sought to communicate as clearly and transparently as we have been able.”

It said planned dates for restoring the system for each client has been communicated directly and that the “overall restoration programme remains on track”.

It comes as the NHS is facing a severe staffing crisis, coupled with the threat of real terms spending cuts under new Chancellor Jeremy Hunt.

Dr Molodynski told i the cyber attack has led to the “likelihood of preventable deaths” due to the chaos over patients’ records. A consultant psychiatrist, he said the outage has contributed to “near misses” when patients have self-harmed because clinicians have been unable to effectively plan their care, or when safeguarding alerts have not been flagged.

More on NHS England

Dr Lizzie Toberty, GP lead at Doctors’ Association UK (DAUK) , said: “The NHS has historically underinvested in IT infrastructure and this sort of chaos is the inevitable result.

“As always, DAUK advocates for better, targeted resources to enable staff to deliver the care our patients deserve.”

The 12 trusts running CareNotes are Mersey Care, South London and Maudsley, Coventry and Warwickshire, Camden and Islington, Cheshire and Wirral Partnership, Devon Partnership, Oxford Health, Tavistock and Portman, Sussex Partnership, Camden and Islington, Herefordshire and Worcestershire and Norfolk and Suffolk.

Patients receiving support from carers at home have also been at risk since the August cyber attack as the staff scheduling system used by almost 600 care organisations was impacted.

This means patients could miss out on visits from domiciliary carers as office staff have been forced to run care services manually, meaning vital medication might be missed or specific care not given.

A domiciliary care service manager told i that the outage has “trebled” the workload for office staff who have to manually complete tasks such as scheduling carers and sending out invoices, meaning quality control has fallen by the wayside.

“Over time, then, you’re really compromising on your safety,” said the manager, who will remain anonymous.

He said the risk of carers being sent to the wrong place and medication doses getting missed is “so much higher” while the system is down, as it has opened up room for human error.

Phil Booth, coordinator of MedConfidential – a group campaigning for confidentiality and consent in health and social care – said: “This is a pretty major ongoing incident affecting many bodies around the NHS and yet NHS England is saying nothing publicly on its website.”

A Government spokesperson said: “We are working closely with Advanced in supporting social care providers to minimise the impact of this incident.

“Since 2016, we have invested £300m to build cyber resilience, and we continue to invest in the health and care sector’s cyber security – including through our ambitious ‘cyber programme’ to drive down risk and extend protection.”

The National Cyber Security Centre said it is aware of the attack on Advanced systems and is “working with the company to fully understand the impact, while supporting the NHS”.

An NHS spokesperson said: “While Advanced work to resolve their software problems, we are supporting local health systems who are working incredibly hard to continue providing care and keep patients safe with tried and tested contingency plans in place, so the public should continue to use the NHS as normal.”

Mental health services

Mental health services in NHS trusts were left without access to online clinical records containing vital patient information including their diagnosis, the drugs they have been prescribed, records about sectioning and records of staff concern about potential abuse.

This is because Carenotes, a patient record software used by mental health services in 12 NHS trusts, was affected by the ransomware attack.

Each trust was left to roll out its own contingency plan, which included using read-only patient records along with an alternative system for recording patient notes as an “interim measure”.

Many of the impacted trusts resorted to recording information in several different ways, making it difficult for healthcare professionals to get a sense of continuity with their patients, i understands.

Dr Molodynski said staff at some trusts are still caring for seriously mentally unwell patients without having easy access to their history, their care plan or their safeguarding concerns.

He said: “These records are integral to patient safety, so, undoubtedly, a prolonged absence of these would have contributed to severe patient safety breaches, with the possible likelihood of preventable deaths.”

“There is good evidence that proper care planning and the use of safety alerts reduces mortality and morbidity. So the fact that they’re not available does mean that it will increase.

“It would be very difficult to identify individual cases but there’s no doubt that if the normal systems for safety and for checking can’t be accessed, that does have an impact on patient safety.

The consultant psychiatrist said colleagues have flagged many “near misses” that could have been “much worse” since the Carenotes outage, for example, when a patient has self-harmed when they otherwise might not have.

Different trusts developed their own contingency plans, for example, by moving over to Microsoft Teams teams to record patient information when the cyberattack first struck.

Dr Molodynski said the impact on the administration staff was “massive” as they had to ring GPs to gather as much of the missing information as possible.

Three months later, “huge chunks” of information are still missing and it is unclear whether years of patient data on Carenotes will ever be recovered, he said, adding that some trusts are “giving up” and moving to new providers.

“There will always be an impact on the care of some patients,” said Dr Molodynski. “It will lessen over time, but at the moment it’s substantial and it’s affecting lots of people.”

More on Cyber Attacks

It is common for mental health patients to come in and out of services over the years. Since the outage, clinicians have been “starting from scratch every time”, meaning patients have to repeat traumatic life events and doctors do not have a full understanding about their background or what treatment has helped in the past.

“If they’re at a high risk of self-harm and suicide, that’s all been lost. If they’re a risk to staff, that’s all been lost,” said Dr Molodynski.

He added: “I’ve been doing this since the mid-90s and it’s like going back to the beginning when we had paper notes and when you would go to A&E and literally just do the best you could.”

He suggested that the cyberattack would have been addressed more quickly if it had impacted acute care, such as heart disease or cancer.

“The fact that it’s mental health, and hardly anyone is talking about it, is quite illustrative of the stigma and Cinderella status of our specialty,” he said, adding: “It’s a real disgrace that it’s being allowed to carry on for so long.”

Oxford Health NHS Foundation Trust was severely impacted by the cyberattack, using Carenotes in 16 departments including child health, community health, eating disorders, learning disabilities, child and adolescent mental health services (CAHMs), assessment and risk management, and substance misuse and addiction.

Clinicians were provided with critical patient information as according to business continuity arrangements, but they were left without easy access to a comprehensive patient record system, i understands.

Oxford Health did not wish to comment.

South London and Maudsley NHS Foundation Trust was also seriously impacted by the Advanced cyberattack, using Carenotes for a range of purposes including assessment and risk management, CAHMs services, patient care scheduling and bed management.

A trust spokesperson said the national outage led to “no access to our online clinical records held in a system provided by Advanced”.

They said “robust contingency plans” were “rapidly mobilised”, with an alternative patient record management rolled out to staff. However, mental health practitioners had to resort to read-only patient records, hospital and pathology notes, and the London Care Record,i understands.

More on Cyber Security

Daily meetings with key staff members were held to ensure the plans were being effectively implemented, daily updates were shared and staff were given training, the trust said.

South London and Maudsley was the first to regain access to Carenotes on 15 September and is currently in the recovery phase, ensuring all data collected during the outage is accurate and imported into Advanced’s system.

They said: “As the first mental health trust in the country to regain full access to Advanced’s systems, we are very grateful to our staff who have worked extremely hard, putting in long hours to keep people who use our services safe during this challenging time.”

The outage is also understood to have impacted Camden and Islington NHS Foundation Trust. The organisation had a backup, so was able to access patient notes on a read-only basis up to the point the system went down, but the live updates function is still unavailable.

A spokesperson said: “Our business continuity plans immediately kicked in and we continued running all our clinical services without interruption. A secure system for recording patient notes has been introduced as an interim measure.

“Advanced has assured us that the security of patient records held on Carenotes was not breached during the cyber-attack. This incident has affected many other NHS organisations, nationally, and continues to be coordinated by NHS England at national level.”

Advanced said it has completed a rebuild of the Carenotes system, which is currently being tested with pilot sites. The company added that it is testing data importer tools to allow data captured during the outage period to be restored into live systems.

Care services

Patients receiving support from carers at home could miss out on visits due to the scheduling system being unavailable since the August cyberattack, meaning vital medication might be missed or specific care not given.

Staffplan, a rostering system used by almost 600 care organisations – will not be fully recovered until the end of the year, forcing many care service managers to seek out new systems in order to operate safely,i understands.

One manager working for Bluebird Care – a home care franchise that uses Staffplan in 200 of its 240 care services across the UK – described the impact of the cyberattack as so “horrendous” that the group has moved over to a new provider.

Currently, care services can request data extracts to provide information including about client billing, staff roles and rates, care worker listing, service user listing, service user contacts, care needs and risk plans.

However, “people buy these systems because you cannot run care services safely on spreadsheets,” said independent researcher, Rob Dyke, explaining that Staffplan is necessary for ensuring carers are in the right place at the right time as well as for billing and auditing purposes.

Moreover, Advanced has said that not all data requests are possible as some are dependent on a working version of the system rather than just access to the database.

The company confirmed in an incident summary released earlier this month that perpetrators of the attack were financially motivated and “were able to temporarily obtain a limited amount of information from our environment pertaining to approximately 16 of our Staffplan and Caresys customers”.

This means that hackers accessed and extracted data belonging to 16 of Advanced’s clients, but no further detail has been given about the number of individual data subjects whose sensitive information has been leaked.

The company said that it has notified each of those affected customers as the controllers of the exfiltrated data.

Since the Staffplan outage, the workload for Bluebird Care office staff “trebled”, according to a manager, who will remain anonymous. He said Staffplan “effectively ran the business” so employees had to schedule calls, send out invoices and organise the payroll manually, meaning vital tasks such as quality audits have fallen by the wayside.

“We were a lot more stretched, a lot more busy so we effectively couldn’t take on extra clients because we’re worried because you don’t know what your capacity is,” he told i.

He said the risk of carers being sent to the wrong place and medication doses getting missed is “so much higher” without Staffplan, as it opened up room for human error.

Staff morale was hindered by Advanced’s lack of communication about the severity of the situation, he added. The company told services from the beginning that a solution would be “imminent”, but now it will not be back at the end of the year.

More from News

Advanced said: “We recognise that the restoration process has taken longer than we had initially anticipated and we have sought to communicate as clearly and transparently as we have been able.”

A company spokesperson said it notified customers “immediately” after discovering the incident, adding it has been been committed to providing customers with regular updates.

They added that data extracts up to the last backup on 3 August are available to customers, but the firm is still looking for ways of making additional data available.

A Bluebird Care manager said getting a new system was a “must have” as “there was no way we could have survived carrying on that way until Christmas”.

“It was too much work and we have to pick up on the other things such as spot checks, audits and customer reviews. That’s an essential part of our quality side of things. Over time, then, you’re really compromising on your safety,” he told i.

A spokesperson from the Bluebird Care head office said all their franchises that used Staffplan immediately activated contingency plans after the outage to “minimise disruption”.

A company representative said: “At Bluebird Care, our priority is always the health, safety and wellbeing of our valued customers and our team members. When the system used by a number of our offices became unavailable, we immediately put measures in place to minimise disruption, and we continue to work closely with our provider partners to resume our normal processes. We are grateful to our dedicated care assistants, who have gone above and beyond to continue delivering high-quality care for people in the comfort of their own homes.”

The Care Quality Commission (CQC) said it is aware of the August ransomware attack and that the affected care providers have been steered towards the relevant cybersecurity guidance.

A CQC spokesperson said: “We are in regular contact with DHSC [Department of Health and Social Care] on this issue and continue to monitor the effects that system disruptions such as this may have on peoples’ care needs.”

The National Cyber Security Centre said it is aware of the attack on Advanced systems and is “working with the company to fully understand the impact, while supporting the NHS.”

“Since 2016, we have invested £300 million to build cyber resilience, and we continue to invest in the health and care sector’s cyber security – including through our ambitious ‘Cyber Programme’ to drive down risk and extend protection.”

Advanced said planned dates for restoring the system for each client has been communicated directly and that the “overall restoration programme remains on track”.

What happened in the cyber attack?

The attack on 4 August caused widespread outages across the NHS, with software used for check-ins, personal records and the 111 service impacted.

Mental health services in NHS trusts were left without access to online clinical records containing vital patient information, including their diagnosis, the drugs they have been prescribed, records about sectioning and records of staff concern about potential abuse.

Each trust was left to roll out its own contingency plan, which included using read-only patient records along with an alternative system for recording patient notes as an “interim measure”.

Dr Molodynski said staff at some trusts are still caring for seriously mentally unwell patients without having easy access to their history, their care plan or their safeguarding concerns.

Meanwhile, patients receiving support from carers at home could miss out on visits due to the scheduling system being unavailable since the August cyberattack, meaning vital medication might be missed or specific care not given.

Staffplan, a rostering system used by almost 600 care organisations – will not be fully recovered until the end of the year, forcing many care service managers to seek out new systems in order to operate safely, i understands.



Source link