The infection of computer systems at Barts and The London NHS Trust was "entirely avoidable", according to a review carried out by an independent IT specialist for the hospitals.
The results of the review appeared in an internal trust report on the Mytob infection, which affected St Bartholomew's in the City, The Royal London in Whitechapel and The London Chest Hospital in Bethnal Green in November.
Deficiencies in operational processes were in part to blame for the infection, according to IT consultant Tony Rowe, who undertook the independent review for the trust into why the virus was able to penetrate its systems. The hospitals demonstrated "a substantive failure" in information governance, said Rowe in a quote in the report to the trust board on the computer virus attack.
While virus protection was updated daily, not all the PCs received the updates, Rowe said. The antivirus software was also not configured correctly on some of the PCs, leaving a backdoor for the virus to infiltrate and permeate the network.
The virus infected systems in the three hospitals for a week before it was brought under control. Rowe concluded that "this incident could have threatened the wellbeing of patients and morale of staff, as well as the long-term reputation of the trust".
The Barts and The London NHS Trust report said that while some operations had to be postponed, none of them was urgent. It also said there had been no unauthorised access to patient information, and the hospitals' care-records service had not been disrupted.
"Following infiltration, the trust has completed essential repairs to its antivirus software across its 4,700-strong PC network to reduce its vulnerability to attack", the report stated.
Systems were declared safe on the 24 November. Recommendations to improve security made by Rowe include additional training to specific staffing groups and improvement of administration and documentation. The Barts and The London NHS Trust report said the hospitals have already started on an improvement programme following these recommendations, and it expects all measures to be introduced by April.