Trusts in special measures 3x more likely to be hit by cyber-attack – report

Trusts that have been in special measures were three times more likely to be hit by the recent NHS cyber-attack, according to an initial report.

A report published in the British Medical Journal’s (BMJ) days after the cyber-attack, suggests there is a link between a trust’s cyber-attack susceptibility and its Care Quality Commission (CQC) rating.

Special measures is when a trust is found to be delivering inadequate care.

Amitava Banerjee, who wrote the piece and is a senior lecturer and honorary consultant cardiologist at University College London, told Digital Health News that “the main finding is that if you’ve been at some stage in special measures then you’re three times more likely to have been affected by the attack”.

“With the proviso, there are obviously trusts that have been affected to different extents.”

The letter said that between 2013 and 2017, 28 of the 153 acute trusts in England have been placed in special measures by the CQC.

Out of the 48 trusts affected by the cyber-attack, 37 were directly attacked and shut down systems as a precaution. Out of those 37, 12 were in special measures at some stage between 2013 and 2017.

The report described it as “crude, unadjusted odds ratio and there are limitations” including lack of detail on the severity of the attack, level of digital maturity and reason behind why each trust was in special measures.

One of the trusts that was still affected four days after the attack was Colchester Hospital University NHS Foundation Trust, a trust that went into special measures in November 2013.

Banerjee said that the results could show that “coming out of special measures is a longer process than we think, or that in order to come out of special measures you might have to, whether its cut costs or do things that do not encourage digital security”.

He said that the CQC could consider whether it was measuring the right things, and encouraging the right system behaviours, if the trusts are ending up with less cyber security.

In July 2016, the CQC reviewed data security across the NHS in ‘Safe Data, Safe Care’ with a recommendation to amend its assessment framework and inspection approach to ensure data security standards are being met.

The review also confirms that the CQC will amend its assessment framework and inspection approach to include the new data security standards recommended in Dame Fiona’s report

A CQC spokesperson said in a statement provided to Digital Health News that: “The package of recommendations that CQC made in last year’s Safe Data, Safe Care review were aimed at ensuring that providers took responsibility for data security seriously”.

She added that the CQC hopes to implement the new framework in June, and that since last July the CQC “have been working alongside NHS Digital on the development of CareCERT”.

Banerjee’s letter said that “events of last week [cyber-attack] will undoubtedly mean a far greater level of digital scrutiny during future CQC inspections”.

Banerjee described the letter as “hypothesis generating, rather than giving answers”, and said he would be taking the research further.