GPs are sharing patient records on Word documents via email amid ongoing disruptions from the NHS cyber attack.
There are concerns that the move could endanger patient privacy.
Advanced, a major IT provider to the health service, is being held for ransom by hackers over fears that millions of confidential data could be compromised.
Blackmailers are asking for money in exchange for not leaking confidential data, cutting the NHS from accessing key services in the meantime.
GP practices are now forced to access vital patient information via Microsoft Word documents sent to their NHS email.
Patient rights groups warned the emails could be “easily intercepted” by hackers and put patients at risk.
They found that too much reliance on digital-only systems in the health service makes it vulnerable to future attacks.
Hackers have made demands on an IT company providing NHS trusts after it was hacked last week, it was claimed today. Pictured: Advanced company’s Adastra software used by 85 percent of England’s NHS 111 providers
What happened in the NHS cyber attack and who was affected?
Cyber criminals attacked a company that supplies IT to NHS providers last week.
Software company Advanced, which provides patient data to dozens of trusts and 85 percent of England’s NHS 111 providers, was hacked last Thursday.
Advanced’s Adastra software, one of the systems attacked and used by NHS 111, covers 40 million patients, according to the company.
Affected NHS 111 callers are currently unable to access the GP records or NHS numbers of people calling the non-emergency service.
They also cannot make electronic bookings with GPs or send ambulances for patients while the Adastra software is still offline.
GP notes, medical records and unique NHS numbers of patients may have been stolen in the attack.
The criminals also hacked into the company’s Carenotes EPR software, which contains mental health data.
The affected mental health trusts warned that staff are currently facing a “pretty desperate” situation and still cannot access vital patient records.
An update on GP practices in Liverpool as seen by the GP magazine Pulse todaystates that data-sharing methods are ‘not ideal’, but that doctors are blind to the information is a greater risk.
It is not clear whether data will be shared with practices in Liverpool in this way or if the move is widespread. MailOnline has contacted Advanced and the NHS.
The letter states: “We have agreed that information about clinical consultations will be sent in the form of a Microsoft Word document via secure email to your practice’s nhs.net email account.
“This allows practices to view key patient information and choose how that information is captured in practice systems.”
It added: “While not ideal, it is considered a lower risk to patient care than practices that go unseen during out-of-hours interactions.”
The update told medics to regularly check their emails to make sure they’ve received the records until they’re told the usual “clinical system” is working again.
Dennis Reed, director of Silver Voices, a campaign group for the over-60s, told MailOnline that emails containing patient information “can be easily intercepted” by hackers who want to do so.
He said: “There is an increasing over-reliance on digital systems and there are not enough backups if the system is hacked or sabotaged.”
This makes the UK a ‘refuge for hostile states’ as the lack of paper documentation makes the ‘crown jewels available for hostile states to cause mischief,’ Mr Reed said.
‘What happens if all or a group of patient data is deleted? Doctors would lose access to vital information such as allergies and medical history,” he said.
More needs to be done to protect patient information and protect it from attacks on the NHS system because ‘if they can interfere with 111, the same can be done for 999’, he added.
Rachel Power, Chief Executive of the Patient Association, told MailOnline: ‘Sharing patient information between healthcare facilities is essential to delivering collaborative care that works for the patient, and that’s important.
“If services are forced to use different systems due to a cyber attack, it is essential that this is done with all appropriate safeguards to ensure that sensitive information remains confidential.
“It is important that the NHS explain to patients what is happening and how their data is being protected, and whether they can or should do anything to protect their sensitive health information.”
A spokesperson for NHS England said: ‘While Advanced has confirmed that the incident affecting their software is ransomware, the NHS has been trialling and testing contingency plans, including robust defenses to protect our own networks, as we work with the National Cyber Security Agency. Security Center to fully understand the impact.
“The public should continue to use NHS services as normal, including NHS 111 for those unwell, although some people may have to wait longer than usual, as always, if it’s an emergency, call 999.”
An Advanced spokesperson said files are only “requested, created and distributed in a secure manner,” with customers requesting data through the portal and then being linked to a platform to collect the data.
Advanced first spotted the ransomware attack at 7 a.m. on August 4 and tried to contain the hackers, who were reportedly seeking monetary compensation.”
It said there is “nothing to indicate” that the NHS is at further risk of malware spreading.
In an update on Wednesday, the IT company said it is working to bring the affected NHS services back online within the next few days.
Affected services include Adastra, which allows emergency staff to refer GPs, dispatch ambulances and share patient records with other NHS staff.
Caresys and Carenotes, which are used to manage care homes.
An anonymous NHS pharmacist this week told the BBC that the attack meant they couldn’t read the patient’s medical history, forcing their team to “make near-blind clinical decisions.”
An internal NHS memo, leaked to the guardwarned that the cyberattack poses “significant challenges” to the health service and that solving the problems arising from the incident – such as manually typing notes on paper – “may take some time”.
HOW DID THE 2017 WANNACRY CYBER ATTACK cripple the NHS?
More than a third of hospital trusts had their systems crippled during the WannaCry ransomware attack in May 2017.
Nearly 20,000 hospital appointments were canceled because the NHS failed to provide basic security against cyber attackers.
NHS officials claimed 47 trusts were affected – but the National Audit Office (NAO) found the impact was much greater and in fact 81 were affected by the attack.
When the attack began on May 12, it tore through the antiquated defenses of the NHS.
More than a third of hospital trusts had their systems crippled during last May’s WannaCry ransomware attack
The virus, which spread via email, locked staff out of their computers and demanded £230 to release the files on each employee account.
Hospital staff reported that computers went down “one by one” when the attack took hold.
Excluded medics had to rely on pen and paper, while crucial equipment such as MRI machines were also rendered useless by the attack.
The report reveals that nearly 19,500 medical appointments were canceled, including 139 potential cancer referrals. Five hospitals even had to divert ambulances at the height of the crisis.
Hospitals were found to be running outdated computer systems, such as Windows XP and Windows 7, that had not been updated to protect them against such attacks. Computers at nearly 600 GP practices were also affected.
NAO claimed that the cyber attack could have been easily prevented. Officials were repeatedly warned about the WannaCry virus in advance, with “critical warnings” being sent out in March and April.
Foreign Minister Lord Ahmad confirmed that the attack was carried out by the notorious North Korean cyber-espionage group Lazarus.
Computer systems in 150 countries became involved in the incident, with screens freezing warning that they would not be unlocked unless a ransom was paid.
The Ministry of Health said hospitals will be subject to unannounced IT security inspections from January 2018.