It was fascinating to read a Perspectives article in The New England Journal of Medicine, written by two physicians who practice inside the National Health Service (NHS) in the United Kingdom
It was fascinating to read a Perspectives article in The New England Journal of Medicine, written by two physicians who practice inside the National Health Service (NHS) in the United Kingdom. This was no ordinary op-ed: it was something akin to a whistleblower essay.
This op-ed, written by Rachel Clark, M.D. and Taryn Youngstein, M.D., and published online on August 3, under the headline, “Cyberattack on Britain’s National Health Service—a Wake-up Call for Modern Medicine,” was riveting.
Drs. Clark and Youngstein begin, “As you would expect in a pandemic, the headlines were alarmist: we were reportedly locked in a race against time to protect millions of patients from a new virus of unprecedented virulence that had crippled the United Kingdom’s National Health Service (NHS) and was spreading rapidly across the country. Except in this case, the virus was not organic but digital. On May 12, 2017,” they continue, “computer hackers attempted to hold the NHS hostage by exploiting a weakness in Microsoft operating systems. When NHS staff opened an apparently innocuous e-mail attachment, a ransomware worm known as ‘WannaCry’ infiltrated their computers, encrypting data and locking out users. Throughout the United Kingdom, NHS doctors and nurses found themselves helplessly staring at screens that ordered them to pay a Bitcoin ransom to unlock their computers.”
Here’s the thing: as Drs. Clark and Youngstein write, “Long before the headlines broke, those of us at work in the NHS that Friday sensed that something was amiss. Before official hospital alerts kicked in, we received messages from colleagues asking if we, too, had had our computers frozen. Rumors swiftly circulated: elective surgeries were being canceled, clinics rearranged, managers summoned to private meetings. A sense of unease began to build on the shop floor. As in every unfolding real-time crisis, confusion, bewilderment, and rumor were rife. Eventually, official news of the cyberattack broke. Whole hospital and primary care networks were suspended, and the NHS went into electronic lockdown.”
The doctors go on to write, “With lurid headlines lighting up our smartphones it would have been easy for staff and patients to panic. Information technology (IT) has become the linchpin of everything we do, with most NHS hospitals and general practices now using electronic notes, imaging systems, and drug-prescribing systems. We can just about survive without a stethoscope — once the symbol of our craft — but without our computer log-ins, modern medicine grinds to a halt. In fact, in many places, the chaos was to some degree preemptive. In a slick and effective attempt to protect themselves from harm, even hospitals unaffected by WannaCry were self-imposing electronic quarantine, avoiding infection by shutting down entire networks.”
Now, here’s the real kicker. “Certainly,” Drs. Clarke and Youngstein write, “for frontline doctors like us who are used to wrestling with clunky NHS IT systems, the biggest surprise of the malware attack was not that it happened but why it had taken so long. It is an irony lost on no NHS doctor that though we can transplant faces, build bionic limbs, even operate on fetuses still in the womb, a working, functional NHS computer can seem rarer and more precious than gold dust. But the NHS’s cyberattack experience has more nuanced and generalizable implications. First, it exposed the fact that although much has been written about cyberattacks potentially breaching confidential patient information, health care providers have not truly considered the physical harm that could befall our patients should an external party with malicious intent take over health service computers.4 This realization raises urgent questions about the necessity of equipping hospitals with fit-for-purpose IT. Digital security simply hadn’t been an NHS priority until WannaCry’s infection became the biggest cyberattack on critical infrastructure in U.K. history.” Further, the doctors describe the attack as “stressful, grueling, and exhausting — not least for the legions of NHS IT workers who toiled all night to update and then patch thousands of health service systems. For doctors,” they write, “it was a wake-up call.”
And, with regard to the infamous funding issues that have been bedeviling the NHS for decades, the authors write, “Underfunding ultimately left us horribly exposed to a predictable attack that threatened not just privacy but patient safety. If the WannaCry saga appears depressing, however — a realization of the perils of poorly funded health care — that was not the lesson we ultimately took from the experience. Facing adversity, with their backs against the wall, NHS staff quietly and resolutely got on with the job at hand.”