Cybersecurity and all that… (reflections on the Crowdstrike outage)

Brendan Delaney is a London GP and Chair in Medical Informatics and Decision Making at Imperial College Dept of Surgery and Cancer

What happened?

When I came into the practice on Friday morning the 19th of July, I really wouldn’t have expected to see the admin team frantically searching for the paper sheets we use when the ‘computers are down’. To be fair, I can’t recall the last time they had been used. This stands both as testament for the usual reliability of our EHR system and a degree of complacency I’m sure we call all be guilty of. We normally run a GP-led telephone triage for same day requests 8.30-10 am and 3-4 pm, and I’m pleased to say we started it only 30 mins late. With the EMIS business continuity mode we could see who was booked as routine and a summary as per the NHS ‘Summary Care Record’. We soon swung into action with paper and pen at hand. However, I hadn’t expected quite the number of ‘I had my bloods done 6 weeks ago and I still can’t see any results on the NHS app.’ Of course, we are still suffering the effects of the Synnovis cyberattack at our local SE London trust and it will be a while before normal service is resumed.¹ It was hard not to feel a sense of collapse with the Crowdstrike ‘outage’ on top of the cyberattack,² on top of my patients suffering repeated cancellations of hospital appointments and procedures.³  It seems that almost every other appointment is wasted on something that hasn’t been done, can’t be done, or really isn’t primary care’s responsibility.

So What?

Having been a GP since 1992 I can remember the times without an electronic health record, trying to decipher a previous GP’s scrawl in the Lloyd George envelope and the coloured dots on the cover that indicated a chronic condition. The whole of modern practice rests on both the EHR and networked services for requests and results. However, we still behave as if we are dealing with paper (if in pdf form), shuffling it around electronically and manually entering a code for a new diagnosis. Likewise clinical decision support has become a monster where every attempt to enter something in the record is couched in a plethora of warnings, reminders admonishments and potential interactions. Has no one ever read about alert fatigue?⁴ I’m looking at you Ardens. I confess to nostalgic pleasure in writing a note unhindered, followed by signing a handwritten script. In my academic role as a Chair in Medical Informatics I hope that we can do better in future and that Artificial Intelligence can make the current approach seem as archaic as the Lloyd George envelope.^5,6

What now?

The following week, having found the time to add the records on and catch up with all the things I promised, including calling patients back with answers to things after the system came back online, I can’t help but feel that General Practices can be very good at managing a crisis and nimbly prioritising needs. Those practices that were reported as closing their doors really need to look at their business continuity plans and get ready for the next time.⁷ Next time? Of course, the threat from hackers and ransomware whether financially or politically motivated grows ever greater.⁸  Systems designed to protect from this threat add an additional layer of complexity and failure points. NHS organisations will be looking very hard at their supplier’s Data Security and Protection Toolkit form. Clearly, simply listing compliance is no longer adequate for a board to manage risk, and compliance must be demonstrated as part of the Cyber Assessment Framework (CAF).⁹ Likewise, whoever at Microsoft thought that allowing a supplier free hand to apply their own updates to critical systems automatically without any form of verification must be having some serious questions to answer. As GPs we get very concerned over the privacy of our patient’s records but tend not to think too much about the infrastructure that holds them. Certainly, at ICB level that is going to have to change.

References

1. https://www.england.nhs.uk/synnovis-cyber-incident/ [accessed 28/7/24]
2. https://www.bbc.co.uk/news/articles/cql841plqg4o [accessed 28/7/24]
3. https://www.rcseng.ac.uk/news-and-events/media-centre/press-releases/rtt-waiting-times-may-2024/ [accessed 28/7/24]
4. McGreevey JD 3rd, Mallozzi CP, Perkins RM, Shelov E, Schreiber R. Reducing Alert Burden in Electronic Health Records: State of the Art Recommendations from Four Health Systems. Appl Clin Inform. 2020 Jan;11(1):1-12. doi: 10.1055/s-0039-3402715. Epub 2020 Jan 1. PMID: 31893559; PMCID: PMC6938713.
5. Poly TN, Islam MM, Muhtar MS, Yang HC, Nguyen PAA, Li YJ. Machine Learning Approach to Reduce Alert Fatigue Using a Disease Medication-Related Clinical Decision Support System: Model Development and Validation. JMIR Med Inform. 2020 Nov 19;8(11):e19489. doi: 10.2196/19489. PMID: 33211018; PMCID: PMC7714650.
6. Domínguez J,  Prociuk D,  Marović B, et al.  ROAD2H: Development and evaluation of an open-source explainable artificial intelligence approach for managing co-morbidity and clinical guidelines. Learn Health Sys.  2024; 8(2):e10391. doi:10.1002/lrh2.10391 [accessed 28/7/23]
7. https://www.theguardian.com/society/article/2024/jul/19/nhs-patients-turned-away-as-microsoft-it-outages-hit-gp-surgeries [accessed 28/7/24]
8. https://www.ft.com/content/77d54679-0915-4ce2-a42f-0c2b844da7ef [accessed 28/7/24]
9. https://www.dsptoolkit.nhs.uk/News/DSPT-Changes-in-24-25  [accessed 28/7/24]

Featured photo by Christian Wiediger on Unsplash.