Barts Health flagged reliance on XP ahead of cyber attack

As most trusts affected by the cyber attack return to more normal operation, how the ransomware infected so many NHS trusts so quickly is yet to be fully explained.

Investigations will likely focus on the investment in IT infrastructure, cyber security processes, and the continuing reliance on the vulnerable Windows XP system in some trusts. 

At Barts Health’s monthly trust board meeting in May, nine days before the global ransomware attack, the board was told “many trust PCs run Windows XP”. This dependence, and specifically compatibility problems with other software, was placed on the trust’s risk register. 

Barts Health has a history of damaging cyber attacks or IT infrastructure failures, with Friday’s the third in the past six months.

In April, the trust’s electronic imaging system was down for several days, after a “major computer equipment failure”.

In January, the trust was infected with a virus that shut down non-urgent pathology services at three hospitals, once again likely because of the trust’s reliance in Windows XP. 

Minutes from the trust’s April board meeting the trust’s board noted that, in light of two major IT disruptions, “some external testing of specific cyber security arrangements may be helpful”. 

In a statement provided to HSJ, Barts Health said the trust had worked with antivirus provider to keep its IT system up-to-date, and applied all security updates daily. 

”Once we have all our systems back online we will be able to review any gaps in this rollout.”

The trust had also prioritise capital funding for IT infrastructure, including £2m spent on desktops at Whipps Cross Hospital and a further £2m allocated for IT infrastructure at Newham Hospital. 

While most trusts infected in Friday’s ransomware attack have largely recovered, Bart’s Health, which is among the biggest in the country, was continuing to struggle on Firday.

In an update on Thursday, the trust told GPs it had made “significant progress” but several electronic services remained closed. 

These included maternity e-referrals, non-urgent pathology referrals and some community blood tests.

“The Whipps Cross phlebotomy service is only able to process urgent cases to ensure the trust’s labs are able to prioritise clinically urgent patients within the hospitals.”

In an update on Thursdayafternoon, the trust said while some system had been restored a minority of planned outpatient appointments and operations continued to be cancelled on Friday. 

“We have reduced the volume of planned operations and clinics on Friday to ensure we can continue to run all services safely,” the trust said in a statement late on Thursday afternoon.

”We are methodically working through our systems to make sure that we remove any trace of the infection and get back to a normal service as quickly as we can. ”

Meanwhile, two other trusts heavily disrupted by Friday’s cyber attack revealed further details on how the malware might have gained access and spread.

Southport and Ormskirk Hospital, which only stopped postponing appointments and operations on Thursday, admitted just days before the attack that it was unprepared. 

In a report to a board meeting on 3 May, the trust said it “was particularly vulnerable to cyber security attacks due to the use of legacy systems or systems that are no longer supported against known threats”.

Northumbria Healthcare FT said on Wednesday that all of its supported computers had the latest security updates, suggesting a machine running XP was to blame.

This story was modified at 11am on Friday to reflect updated information recieved by Barts Health, including removing ealier information that a minority urgent cancer referrals were being postponed.