[co-authors: Stuart Knowles, Duncan Astill - Mills & Reeve LLP.]
Serious trouble for all health and care providers looms large.
High risk women in labour and major trauma cases are being diverted to other hospitals after a cyber-attack recently shut down services at a hospital in the East of England, Northern Lincolnshire and Goole Hospitals NHS Foundation Trust.
Putting aside why anyone would want to put people’s lives at risk (would you pay a ransom demand), the Trust’s three main hospitals have suffered a near total shutdown of vital IT systems.
Information is the life-blood of the health sector and the seriousness of this event and a likely re-occurrence cannot be underestimated.
This comes following the UK Government announced its cyber defence initiative. It is scary stuff and it will affect all of us – as organisations and vulnerable individuals.
The UK National Health Service (NHS) is already doing a lot of work on the problem. NHS Digital previously the Health and Social Care Information Centre, has warned that, despite some improvements, boards of most health and care organisations still do not have this on their agenda.
We are aware of serious attacks on health providers outside the UK in recent months which have led to ransom demands where computers were infected by ransomware – a malicious piece of software which locks up systems until a ransom is paid to get them unblocked (ransomware). There have been other serious attacks on health and care providers in the UK but this latest is one of the most serious and high profile – as far as we are aware – and should be seen as a portent of things to come. It is less than two weeks since (it is alleged) the Russians attacked major IT systems in the UK and elsewhere shutting down Twitter and a whole lot more – websites and services both large and small.
Attacks will get bigger and more sophisticated. The threat to patient safety is real and universal. Imagine if the emergency department or an ambulance trust was suddenly infected. Chaos would ensue and lives put at real and immediate risk. Cyber-attack may have no warning.
A failure to plan, to protect your systems and to manage a crisis properly will lead to serious consequences. Quite apart from the threat to patient safety and the career limiting consequences for managers that would arise from death, you would have to deal with a mix (or all) of the following:
Potential manslaughter / corporate manslaughter
Health and safety
Claims for civil liability
Reputational damage and serious loss of business
Without doubt, board members of every health and care organisations must have assurance on the enforcement of the strictest technical safeguards and personal responsibility. Demonstrable compliance is not optional. Vulnerability assessments and penetration tests (hacking with consent) are a ‘no-brainer’.
NHS Digital has a cyber security programme which provides a valuable resource designed to help health and care organisations improve local cyber security.
The recent review of Data Security, Consent and Opt Outs by the UK National Data Guardian, Dame Fiona Caldicott sets out ten clear standards organisations should follow to increase data security.
For more information on risks and liability you can read our briefing for the UK health and care sector: Criminal liability in health and social care settings – the changing landscape.