It was fascinating to read a Perspectives article in The New England Journal of Medicine, written by two physicians who practice inside the National Health Service (NHS) in the United Kingdom
It was fascinating to read a Perspectives article in The New England Journal of Medicine, written by two physicians who practice inside the National Health Service (NHS) in the United Kingdom. This was no ordinary op-ed: it was something akin to a whistleblower essay.
This op-ed, written by Rachel Clark, M.D. and Taryn Youngstein, M.D., and published online on August 3, under the headline, “Cyberattack on Britain’s National Health Service—a Wake-up Call for Modern Medicine,” was riveting.
Drs. Clark and Youngstein begin, “As you would expect in a pandemic, the headlines were alarmist: we were reportedly locked in a race against time to protect millions of patients from a new virus of unprecedented virulence that had crippled the United Kingdom’s National Health Service (NHS) and was spreading rapidly across the country. Except in this case, the virus was not organic but digital. On May 12, 2017,” they continue, “computer hackers attempted to hold the NHS hostage by exploiting a weakness in Microsoft operating systems. When NHS staff opened an apparently innocuous e-mail attachment, a ransomware worm known as ‘WannaCry’ infiltrated their computers, encrypting data and locking out users. Throughout the United Kingdom, NHS doctors and nurses found themselves helplessly staring at screens that ordered them to pay a Bitcoin ransom to unlock their computers.”
Here’s the thing: as Drs. Clark and Youngstein write, “Long before the headlines broke, those of us at work in the NHS that Friday sensed that something was amiss. Before official hospital alerts kicked in, we received messages from colleagues asking if we, too, had had our computers frozen. Rumors swiftly circulated: elective surgeries were being canceled, clinics rearranged, managers summoned to private meetings. A sense of unease began to build on the shop floor. As in every unfolding real-time crisis, confusion, bewilderment, and rumor were rife. Eventually, official news of the cyberattack broke. Whole hospital and primary care networks were suspended, and the NHS went into electronic lockdown.”
The doctors go on to write, “With lurid headlines lighting up our smartphones it would have been easy for staff and patients to panic. Information technology (IT) has become the linchpin of everything we do, with most NHS hospitals and general practices now using electronic notes, imaging systems, and drug-prescribing systems. We can just about survive without a stethoscope — once the symbol of our craft — but without our computer log-ins, modern medicine grinds to a halt. In fact, in many places, the chaos was to some degree preemptive. In a slick and effective attempt to protect themselves from harm, even hospitals unaffected by WannaCry were self-imposing electronic quarantine, avoiding infection by shutting down entire networks.”
Now, here’s the real kicker. “Certainly,” Drs. Clarke and Youngstein write, “for frontline doctors like us who are used to wrestling with clunky NHS IT systems, the biggest surprise of the malware attack was not that it happened but why it had taken so long. It is an irony lost on no NHS doctor that though we can transplant faces, build bionic limbs, even operate on fetuses still in the womb, a working, functional NHS computer can seem rarer and more precious than gold dust. But the NHS’s cyberattack experience has more nuanced and generalizable implications. First, it exposed the fact that although much has been written about cyberattacks potentially breaching confidential patient information, health care providers have not truly considered the physical harm that could befall our patients should an external party with malicious intent take over health service computers.4 This realization raises urgent questions about the necessity of equipping hospitals with fit-for-purpose IT. Digital security simply hadn’t been an NHS priority until WannaCry’s infection became the biggest cyberattack on critical infrastructure in U.K. history.” Further, the doctors describe the attack as “stressful, grueling, and exhausting — not least for the legions of NHS IT workers who toiled all night to update and then patch thousands of health service systems. For doctors,” they write, “it was a wake-up call.”
And, with regard to the infamous funding issues that have been bedeviling the NHS for decades, the authors write, “Underfunding ultimately left us horribly exposed to a predictable attack that threatened not just privacy but patient safety. If the WannaCry saga appears depressing, however — a realization of the perils of poorly funded health care — that was not the lesson we ultimately took from the experience. Facing adversity, with their backs against the wall, NHS staff quietly and resolutely got on with the job at hand.”
And that’s why I should not have been shocked—and yet was—to learn that the NHS’s information system was still operating on Windows XP. That’s right, Windows XP. Indeed, as Aatif Sulleyman wrote in The Independent of London on May 12, “Up to 90 per cent of NHS computers still run Windows XP, according to a report published in the BMJ [British Medical Journal] earlier this week. The operating system was released in 2001, and Microsoft cut support for it in 2014. People can continue to use the software, but doing so comes with enormous risks,” he wrote, quoting David Emm, the principal security researcher at international IT security firm Kaspersky, as saying that "Using XP is particularly bad because it’s no longer supported and there’s no way to patch it.” “Microsoft no longer builds or distributes security updates for XP, leaving it extremely vulnerable to viruses and cybercriminals. The company is extremely clear about how important it is to stop using XP,” Sulleyman noted.
So—yes—really—the leaders of the NHS had persisted in operating off Windows XP, despite repeated warnings. Indeed, as Jon Ungoed-Thomas and Dipesh Gadher reported on May 14 in The Sunday Times of London, NHS Digital, the IT organization behind the NHS, has been operating without a permanent chief executive, while they reported additionally that Jeremy Hunt, the U.K.’s health secretary had been “warned by watchdogs last July that NHS systems needed to be strengthened ‘as a matter of urgency.’ Dame Fiona Caldicott, the national data guardian, and the Care Quality Commission informed Hunt in an eight-page letter that there was a risk of ‘serious, large-scale data losses’ from a cyber-attack unless action was taken,” the Sunday Times reporters noted.
So… ohmygosh. This truly was IT operational malpractice at a very high level. And, I am grateful for Drs. Clarke and Youngstein for sharing with The New England Journal of Medicine’s readers what this looked like as a lived experience from the inside, on the part of frontline physicians.
Now, let’s be clear: there isn’t a precise equivalent to this situation in the United States. For one thing, we don’t have a single unified national healthcare delivery system. What’s more, while the U.S. healthcare system certainly has its funding issues, there simply is no equivalent to the entire U.S. healthcare delivery system running off Windows XP.
But before we “Yanks” (as the British like to call us) get complacent about this, we should consider how deeply relevant this episode is to U.S. healthcare and healthcare it, broadly speaking. The WannaCry explosion ricocheted across the globe in a matter of minutes—yes, we really all are connected now, these days—and it affected the operations of the Spanish telephone company, the French national railway system, and banks in Russia and Ukraine, among other entities. What’s more, given how quickly patient care organizations in the U.S. are being connected, via health information exchange and other mechanisms, it is absolutely imaginable that we could face analogous calamities in the future.
So, what lessons should we take from all of this? First of all, an incredibly basic one: at this point in the evolution of U.S. healthcare, probably more than 90 percent of patient encounters are facilitated by some level of automation, either via the EHR directly, or via some other clinical information system. These systems simply can no longer go down. Second, keeping all information systems in hospitals, medical groups, and health systems up to date in terms of IT security, is no longer a “good to have” kind of thing—it is essential to keeping patient care operating and moving forward. This is no longer optional. And third, healthcare and healthcare IT leaders are not managing data and IT security in a vacuum; the opposite, really. The threats are growing and accelerating literally every day now. And in the United States, the majority of patient care organizations are not ready for what’s coming at them. Consider the simple fact that many medical devices that are connected through automation to EHRs, are still running on XP and other insecure platforms. And that’s in the U.S.
So while we can cluck over the utter disaster that the WannaCry attack wreaked on the U.K.’s NHS, the reality is that literally, every healthcare system in the world is vulnerable to the attacks coming from increasingly sophisticated hackers who are operating from every possible corner of the world. And, in the end, what Drs. Clark and Youngstein had to say in this NEJM op-ed piece should serve as a warning—or at least, friendly advice from the already-burned—to patient care leaders in the U.S. Because, really, the NHS scenario, though it played out in a different context, is honestly not unimaginable over here. Trust their testimony.