Proper Planning Prevents…

What lessons can be taken for future major incident planning from the NHS cyber attack? Helen Buckingham reflects and reports back from our New Cavendish Group.

Comment

Published: 19/05/2017

Friday 12th May 2017, International Nurses Day. Hugely heart-warming Twitter feeds full of #FlorenceNightingale and #NurseHeroes. But as the day wore on the celebratory stories were gradually overtaken by more worrying reports, with trust after trust being hit by the impact of the worldwide Wanna Decryptor ransomware attack. #CyberAttack began to trend.  

As the weekend progressed the new heroes on social media became the IT teams rolling out the patches, the porters forming human chains to replace the computer-reliant crash call systems, the runners taking handwritten notes around hospitals, and the communications teams getting messages out to local communities. In a few places, Chief Executives took to Twitter to thank their Gold, Silver and Bronze commanders and their emergency planning teams. 

For this was, by anyone’s definition, a major incident. Many commentators have already discussed the NHS’ preparedness (or otherwise) for a cyber security incident, but there are lessons which can and should be taken from these events for major incident planning more generally.

For this was, by anyone’s definition, a major incident. Many commentators have already discussed the NHS’ preparedness (or otherwise) for a cyber security incident, but there are lessons which can and should be taken from these events for major incident planning more generally. We discussed the experience with a number of hospital Chief Executives at our New Cavendish Group.

Without exception, these Chief Executives described a ‘Dunkirk spirit’ in their hospitals. “The staff response was phenomenal.” From all the coverage we have seen, that spirit rose to the occasion equally strongly in community and primary care settings.

But the Chief Executives were rather less consistent when talking about the response they received from above. There was some positive feedback here too: “The regular progress checks were helpful and informative.” “GE were quick to help”. But we also heard examples of “huge confusion” on the part of people making calls to trusts from different national bodies and from local Clinical Commissioning Groups. There were reporting requirements which failed to distinguish between mission-critical IT systems and PCs or systems which could safely be isolated and recovered over a longer period of time. Requirements for hourly reporting through day and night, even on non-critical systems. An email asking for confirmation that the Chief Executive had read the previous email, when it was already known their system was switched off.  

So what does this experience tell us about our state of readiness for a major incident? The NHS prepares regularly and well for those incidents we hope will never happen on our patch or our watch, but which are inevitable – the train crash, the gas explosion, the major fire. The response of the London Ambulance Service, Guys & St Thomas’ Hospital and other parts of the London health and care system to the recent terrorist attack in Westminster appeared exemplary.

We know that the highest priority on the government risk register when it was last published in 2015 was pandemic flu. The risk register is normally published every two years, and in the next edition we can expect to see anti-microbial resistance moving rapidly up the agenda. Unlike a train crash or explosion, the occurrence of either of these would be by their nature prolonged, and impact a wide area. Local emergency planning teams and public health professionals will be well aware of them. But IT professionals were very well aware of the risk of a significant cybersecurity incident – that knowledge in itself was not enough to prevent a significant impact on the NHS last week.

It’s clear, for example, that all local NHS organisations should be active participants in their Local Health Resilience Partnership. It’s interesting to speculate, in the context of last week’s events, how senior the representation at that group is in many systems, how regularly individual organisations consider Emergency Preparedness, Resilience and Response (EPRR) plans at their boards, and whether EPRR issues should be on the agenda for Accountable Care Organisation discussions in future. 

NHS England takes the lead for Emergency Planning Resilience and Response under the terms of the Health & Social Care Act 2012. A quick check of the NHS England website yields a wide range of relevant documents, including guidance on preparation for pandemic flu. It’s clear, for example, that all local NHS organisations should be active participants in their Local Health Resilience Partnership. It’s interesting to speculate, in the context of last week’s events, how senior the representation at that group is in many systems, how regularly individual organisations consider Emergency Preparedness, Resilience and Response (EPRR) plans at their boards, and whether EPRR issues should be on the agenda for Accountable Care Organisation discussions in future.       

It is notable that none of the documents on NHS England’s website seem to reference any role for NHS Improvement or their predecessor organisations Monitor and the Trust Development Authority. They are neither Category 1 nor Category 2 responders under the terms of the Civil Contingencies Act. And yet NHS Improvement – completely understandably – played a very active role in responding to last week’s events, as of course did NHS Digital. Feedback from the New Cavendish group suggested that it was not clear in every instance how the national organisations were co-ordinating their response.

In the end though, the Civil Contingencies Act is clear. Responsibility rests with each individual category 1 responder – including every NHS Trust and Foundation Trust – to plan effectively for major incidents of whatever nature. Boards should be asking some very searching questions of themselves as they learn from the experiences of the last few days.

Without a doubt there will be learning from last week. Even before then, the latest update on pandemic flu available from NHS England indicates that they have been working closely with other national bodies on an update of the framework, and it’s fair to expect that that will be very clear on the respective roles and responsibilities of NHS England as the lead agency for EPRR, NHS Improvement as the body with oversight of providers, and other national bodies as relevant to incidents which may arise.  

In the end though, the Civil Contingencies Act is clear. Responsibility rests with each individual category 1 responder – including every NHS Trust and Foundation Trust – to plan effectively for major incidents of whatever nature. Boards should be asking some very searching questions of themselves as they learn from the experiences of the last few days.

And maybe, just maybe, next May 12th we’ll see #InternationalEmergencyPlannersDay trending alongside #InternationalNursesDay.

Suggested citation

Buckingham H (2017) 'Proper Planning Prevents…'. Nuffield Trust comment. 19 May 2017. https://www.nuffieldtrust.org.uk/news-item/proper-planning-prevents

Comments