York Hospital cyber attack comment likely to cause concern (letter)

The article that the comment piece references accurately reports on a meeting of the Health and Wellbeing Board where deputy chief executive Mike Proctor provided an update on the Trust’s response to the cyber attack.

However, the editorial comments are inaccurate, speculative and likely to cause unnecessary concern.

To state that we were not expecting such an attack is false. The NHS, at a national level, is continually reviewing security. As directors we have discussed the threat posed by cyber crime.

To say that “the fact is that one of the reasons which led to the ransomware virus causing so much damage to health services was the failure of health trusts to apply the new patch” is, at this stage, speculation.

At the time of the attack we were in the process of a phased implementation of the patch or upgrade. This phased approach is necessary to ensure that we can continue to run our services around the clock.

To assume that we would employ any other, less considered approach, to patching is at best naïve. Patching is only one element of cyber security, and we have evidence that PCs were infected in those areas we had already upgraded, and it is important to recognise that this virus was a new variant and, in part, a new risk.

Saying that we will learn lessons from this does not automatically suggest wrongdoing or neglect on our part, as is the insinuation in the editorial comment.

It is a sad reflection of current attitudes to the NHS that there is an automatic assumption that we must be incompetent or wholly at fault, despite the fact that the virus affected multiple businesses in over 150 countries.

The fact that we were able to run all but a small number of appointments and operations and resumed normal business after the weekend, should be commended, and this has been the view shared by patients.

Patrick Crowley, Chief executive, York Teaching Hospitals NHS Foundation Trust