Poor anti-virus left ‘back door’ for hospital attack

The computer virus attack which infiltrated Barts and the London NHS Trust's 4,700-strong PC network last year was due to anti-virus not being implemented properly.

This was according to an independent review carried out by Tony Rowe, a specialist IT consultant recommended by the NHS London Programme for IT.

As well as calling the incident "entirely avoidable", the review also said that there was a "substantive failure" of the Trust's information governance processes - especially those within the ICT domain.

Although the Trust's virus protection was updated on a daily basis prior to the attack, it did not reach all PCs and was configured incorrectly on some PCs.

This left the "back door" which the Mytob' virus used to infiltrate the network. The investigation also revealed that the virus was introduced accidentally, with no malicious intent.

The report concluded: "This incident could have threatened the well-being of patients and the morale of staff, as well as the long-term reputation of the Trust."

However, the report had some praise for hospital staff, saying that the possibility of such a serious outcome did not turn into reality thanks to their flexible and reactive responses. Rowe said that it was a difficult and challenging incident for the hospital community.

An intensive programme of measures to improve management systems and processes is now due for completion by April, which will improve the Trust's protection and significantly reduce the risk of another attack.