Cyber security update : Please be extra vigilant

Did you know that one of the most common attempts to breach cyber security defences is the use of scam emails.

Scam emails are fraudulent messages that try to trick you into giving away personal, medical or financial information, or infect your device with malware to steal data. 

These emails can be very convincing and may appear to come from a legitimate source, such as a person or organisation you know. 

Please ensure you report anything suspicious immediately to your IT Service Desk, who can also be contacted for cyber security guidance and advice.

Additional support, including hints and tips, can also be found on the Be Cyber Savvy website managed by the Cheshire and Merseyside Heath and Care Partnership Cyber Security Group.

Contingency arrangements in the event of telephone failure

If a incident occurs that results in the telephone system being unavailable it was recognised that Divisions need to review their list of critical services and identify which services require a business continuity mobile phone so they can continue to be contactable in an emergency.  Divisions are working with I Mersey  to develop this.  Once confirmed, the mobile phone list can be made available for reference during telephone downtime periods. 

British Medical Association (BMA) Industrial Action, Thursday 27 June to Tuesday 2 July 2024

The Trust held industrial action planning meetings leading up to the strike action period and command and control arrangements were in place throughout the strike action period.  The Trust will continue to follow the same planning and response process for future period of industrial action.

Training

The EPRR team offer the following training opportunities to staff:

  • Business Continuity Plan development sessions
  • Local Health Command (mandatory) training for Tactical and Operational commanders
  • Decision-Loggist training
  • Switchboard METHANE Training

If you are interested in finding out more or if you feel that you need something specific, the team would like to hear from you, please email Emergency.Planning@merseycare.nhs.uk

Good practice identified - do you know the “what 3 words” for your exact location?  

Download the App, you never know when you may need to give a specific location, and it’s welcomed by the emergency services to support them when responding to an incident.

If you would like to discuss any of the incident responses or learning contained within this Round Up, please email: Emergency.Planning@merseycare.nhs.uk

Kensington Health Centre Fire (09 March 2024)

The On-Call Manager was alerted to the fire at Kensington Health Centre via the Trust switchboard, whom in turn, had been alerted via a senior member of staff who had seen the incident reported on Social Media.  

  • If you are based in a building which is maintained by a landlord and not our Estates Department are you aware of the Landlords contact details in hours and out of hours and the correct route of communication between the landlord and the Trust?  Please reference these details in your contingency plan so your On Call Manager can refer to it if required
  • Estates Senior Manager On Call : available seven days per week; between the hours of 5pm and 8pm, Monday to Friday and 8am to 8pm, Saturday and Sunday.

Estates Internal Self Delivery Team : on call from 5pm and 8pm, Monday to Friday and provide 24 hour cover at weekends.

Rio – Intermittent Disruption (29 February 2024 to 8 March 2024)

The was a recent intermittent disruption to the Rio system. The system uses ‘Beacon’ as contingency arrangement which allows users to view Rio information and in turn reduce the risk of error and continuiation of service provision.  If you use Rio, are the Beacon contingency arrangements referenced in your Business Continuity action cards?  If not, now is the time to reference it in your plans.  Other learning identified is as follows:

  • If a contractor is making system changes late in the afternoon, or leading into a weekend, ensure the contractor is available out of hours to respond to any unexpected issue
  • When systems are due to be updated, I Mersey will set up pre planned meetings throughout the day, for divisions to escalate any issues to
  • While Beacon is a Contingency for the Rio system, there are lots of other critical IT systems.  Work is now taking place with I Mersey to review the critical IT patient facing systems and confirm the contingency arrangements available which can feed into Divisional Business Continuity Plans.

Exercise Tergo (10 April 2024)

The Emergency Plannig Team facilitated an exercise to test the validity of the Trust’s ‘Management of Self Presenters involved in a Hazardous Materials Incident Plan’ (HAZMAT Plan).  Staff with specific roles relating to WiCs / UTCs attended, along with representation from the Senior Leadership Team, On Call Commanders, Clinicians, Estates, Facilities, Health and Safety and the Communications Team.  We were extremely pleased to also have representation from North West Ambulance Service, UK Health and Security Agency, NHS England North West and Cheshire & Merseyside ICB EPRR Teams and it was an excellent opportunity for collaboration and discussion regarding the response.

The post-Exercise Debrief identified some really useful key learning which will be incorporated into the Trusts HAZMAT Plan and once approved, will be available on YourSpace.  

Exercise: Changing seasons

A desktop exercise was held on Thursday, 14 March 2024 to test the Trust’s Adverse Weather response arrangements.  The exercise concluded that the Trust has a helpful and responsive plan in place.  Some minor learning points were identified as follows:

  • Emergency Planning will be discussing with Estates to identify if additional gritting bins can be made available, due to the number of sites covered in Mersey Care
  • Inclusion of Operational On Call Managers in weather alerts
  • It is not always useful to arrangement planning meetings first thing in the morning when Commanders are busy responding to the situation.  Next time, a meeting will be set up slightly later, with Divisions asked to join, only if they have something to escalate

Caution with unusual email requests

There have been several incidences reported about people receiving emails from a genuine NHS email address asking the receiver to look at an attachment or asking how to change their bank account details.  

These emails seem to have one of two purposes:

  • Asking the receiver to look at or download an attachment, or click on a link, with no explanation.
  • Asking someone from HR / Payroll how to go about changing their bank account.

Advice: All NHS staff should maintain vigilance over the authenticity of the emails that they receive. If a work colleague usually signs off “Best Wishes, Kaz”, and the email you receive is different, phone them to check if it’s genuine. If the tone or context of any email appears different to normal, or the email address looks different, please be cautious.

Training

The EPRR team offer the following training opportunities to staff:

  • Business Continuity Plan development sessions
  • Local Health Command (mandatory) training for Tactical and Operational commanders
  • Decision-Loggist training.

If you are interested in finding out more or if you feel that you need something specific, the team would like to hear from you, please email Emergency.Planning@merseycare.nhs.uk

Good practice identified

Once again, setting up an MS Teams Chat when responding to an incident proved very helpful and allows users to escalate issues as they arise, resulting in a faster collaborative response.

If you would like to discuss any of the incident responses or learning contained within this Round Up, please email: Emergency.Planning@merseycare.nhs.uk

Weekend Closure of Kirkby UTC (10 and 11 February 2024)

Following routine maintenance and water testing, small traces of legionella species bacteria were found in the dead leg of piping in the toilet at St Chad’s Health Centre. This resulted in Kirkby UTC (based within this building) being required to close for a weekend whilst essential chlorination work was undertaken.

The planning for this closure was well co-ordinated and a comprehensive contingency plan was developed to mitigate the impact on service  users.  

A subsequent debrief session was held and some key learning was identified which may be worthy of consideration by your team / service:

  • If you are based in a building which is maintained by a landlord, are you aware of their contact details and the correct route of communication between the landlord and the Trust?
  • Early communication / escalation of soft intelligence can support with planning for and mitigating any potential disruptions to service delivery.

Health Roster System: planned downtime

Was your team affected by the recent planned downtime of the Health Roster system?  Are the contingencies that your team put in place to mitigate the impact on service delivery captured in the action cards attached to your Business Continuity Plan? 

Training

The EPRR team offer the following training opportunities to staff:

  • Business Continuity Plan development sessions
  • Local Health Command (mandatory) training for Tactical and Operational commanders
  • Decision-Loggist training.

If you are interested in finding out more or if you feel that you need something specific, the team would like to hear from you, please email Emergency.Planning@merseycare.nhs.uk

Good practice identified

Quarterly audits of the Trust Incident Control Centres (ICCs) have proved invaluable in ensuring that all essential equipment is functional and updated Incident Response Plans are available. Are you an On Call Manager? If so, are you familiar with the location of your Divisional ICC and it’s contents?  

To arrange an orientation visit please contact your Divisional EPRR Lead as follows:

  • Community Care Division – Lee Bloomfield / Andrew Jones
  • Secure Care Division – Diane Rice

Mental Health Care Division – Tracy Le Surf

If you would like to discuss any of the incident responses or learning contained within this Round Up, please email Emergency.Planning@merseycare.nhs.uk

Exercise Bill - IT outage

On Tuesday 7 November 2023, a desktop exercise took place to validate the Trust’s internal escalation process and to test the effectiveness of local Business Continuity Plans in the event of a significant IT outage.

The post exercise report identified some key pieces of learning for consideration:

  • How meaningful are the action cards incorporated within your Team’s Business Continuity Plan? Would they support and guide staff in the event of a cyber attack or significant IT outage and mitigate the impact on service users?
  • Are all team members confident that they know how to escalate and maintain communication with their line manager in the event that IT or telephone connections were disrupted?
  • Are you an On-Call Manager? 
    • Are you familiar with your divisional Incident Co-ordination Centre(s) (ICCs) in terms of its location and facilities?  If not, please contact your Divisional EPRR Lead*
    • Are you in possession of a Pocket Decision log book for use when you are on call? During an incident response, you can use it to record, times you were contacted and what actions and decisions you made. During a recent incident review meeting (debrief), the Decision Log was used as a point of reference, to be able to report on incident timings, the situation, the options that were available to the commander and the action that was taken. Having this log book to refer to at the meeting was essential to being able to discuss what went well and any points of learning. If you don’t already have a pocket decision log book, please contact the Emergency Planning Team who will arrange for you to receive one 
    • Are you clear about the start and finish time of your on-call duty?  If you aren’t, please contact your divisional EPRR Lead*.

The clinical divisional EPRR leads are:

  • Community Care Division, Lee Bloomfield
  • Secure Care Division, Diane Rice
  • Mental Health Care Division, Tracy Le Surf.

Fire in admin office

Did you know that all corridors and entrance areas should be kept free from combustible items, including pieces of furniture and filing cabinets? 

To keep staff, service users and visitors safe, are you regularly reviewing your environment to make sure that there is clear egress in the event of fire or an incident requiring evacuation from the building?

Fire at Broadoak

Following a fire in one of the Trust Ward areas in December 2023, it was noted that the Fire Service’s statement was “fire was out, we are able to occupy the building” however it did not reference whether there were any structural issues or associated risks such as asbestos.  

The Fire Safety Team are developing a checklist of  potential questions that staff can ask the Fire Service and the Estates Team.  This will allow staff to identify any structural issues or associated risks and enable safe return to the building.

Positive learning: During the debrief it was noted that the Trust fire safety training is sufficient as staff responded to the incident in the right way, calmly and effectively.

Training

The EPRR team offer the following training opportunities to staff

  • Business Continuity Plan development sessions
  • Local health command training for tactical and operational commanders
  • Loggist training (new sessions coming soon).

If you are interested in finding out more or if you feel that you need something specific, the team would like to hear from you, please email Emergency.Planning@merseycare.nhs.uk

Good practice identified

Contacting the Emergency Planning Team

During the escalation of a recent incident, it was noted that not all staff are aware of the names of members of the Emergency Planning Team, and as such telephoned switchboard to gain contact. To mitigate the risk of this situation reoccurring, the Emergency Planning Team have now introduced a softphone telephone number 0151 296 7218. The Team can be contacted Monday to Friday between the hours of 09:00 hrs and 17:00 hrs.

Can your teams be contacted, even if the names of individual team members are unknown?

 

If you would like to discuss any of the incident responses or learning contained within this bulletin, please email Emergency.Planning@merseycare.nhs.uk

Industrial action

The Trust is currently awaiting the outcome of further industrial action ballots for Consultants and Doctors in Training, which are expected to be received mid December 2023.

Exercise Bill - IT exercise

On Tuesday 7 November 2023, a desktop exercise took place to validate the Trust’s internal escalation process and to test the effectiveness of local Business Continuity Plans in the event of a significant IT outage.

The post exercise report is undergoing finalisation and therefore, the learning will be provided in the next newsletter. 

Electrial disruption

As a result of an electrical disruption on Maghull Health Park on 16 August 2023, a Business Continuity (Level 1) Incident was declared, which was subsequently stood down on 3 September 2023.  

A debrief session acknowledged the timeliness of the initial incident response and excellent collaborative working throughout the period of disruption. There was learning identified in terms of communicating the incident to the required external organisations and the Trust has updated its incident escalation flowcharts to reflect this. The Secure Care Division is also updating their action cards to include all the actions they took during the incident, along with any learning they identified along the way.

Some points for you to consider/action:

  • Do and your teams debrief after an incident and review the action cards attached to your Business Continuity Plan? It is good practice to consider whether any key pieces of learning from an incident can be captured and added to your action cards, as they may help inform decision making during future incidents and enhance the response
  • Is your team aware of which critical systems require a manual reset following an electrical drisruption or outage? Having a checklist available in your business continuity action card that lists the systems requiring reset will ensure they are restored quickly
  • Did you know that our estates colleagues have introduced a Standard Operating Procedure (SOP) for On Load Generator Testing to help support the process and communication of planned testing of equipment? Emails regarding generator testing are now sent via the following shared mailbox to relevant leads generatortesting@merseycare.nhs.uk. On receiving an email, leads can return a message to the mailbox if they have any questions or concerns
  • Do you know how you should escalate an incident that disrupts services?  In the first instance, notify your immediate line manager.   Your line manager should in turn notify the Operational (Bronze) on call manager who will notify the Tactical (Silver) on call manager.   The Tactical (Silver) on call manager will make the decision whether or not the incident needs to be reported to the Strategic (Gold) on call manager.  These would relate to incidents that have a significant impact, require expertise or co-ordination, substantial resource implications or lasting for an extended duration, or any situation that could potentially attract media attention

Training

The EPRR team offer the following training opportunities to staff

  • Business Continuity Plan development sessions
  • Local health command training for tactical and operational commanders
  • Loggist training (new sessions coming soon).

If you are interested in finding out more or if you feel that you need something specific, the team would like to hear from you, please email Emergency.Planning@merseycare.nhs.uk

Good practice identified

Keep your team's business continuity plan fresh

A piece of work has recently been undertaken to ensure that all Trust teams and services have an effective up to date Business Continuity Plan in place. All Staff (including new starters) should make themselves aware of the location and content of their Team’s Business Continuity Plan and raise any queries or concerns with their immediate Line Manager.  

Ideally, Business Continuity Plans should be regularly reviewed by the Team, particularly following an incident or period of disruption. 

If you would like to discuss any of the incident responses or learning contained within this bulletin, please email: Emergency.Planning@merseycare.nhs.uk

Industrial Action

We continue to refine our response to industrial action which continued as follows:

 

13 to 16 March

BMA Junior Doctor, British Dental Associate Trainees and Hospital Consultants & Specialists Association

15 to 16 March

Strike action in England and Wales Schools

 

11 to 15 April

BMA Junior Doctor Members

 

30 t0 1 May May

RCN Industrial Action

 

We learnt the following:

  • Early planning was essential, and the Divisions prioritised their service provision ready for the strike action period
  • Having Divisional spreadsheets detailing planned staffing numbers for each day gave assurance although it was acknowledged that this could change on the day.  It was identified during the debrief that it would be useful to hold a ‘real time’ staffing dashboard to capture staff on duty to complement the E Roster system, which our Information Department is now looking into
  • Having real time capacity and demand reports available proved essential in being able to monitor and respond to the situation
  • The receiving of timely and accurate information from external stakeholders is essential in supporting the prioritisation of service delivery and the maintenance of staff relationships.

Do you review your Business Continuity Plan after a Business Continuity Incident?

When you or your team have been involved in a business continuity incident, do you review your Team’s Business Continuity Plan and update it based on any learning identified?  It is good practice to hold a meeting with your team to review the incident response including what went well and what didn’t go so well.  Any learning identified should then be written into your business continuity action cards so you are even more prepared the next time it happens.

Collaborative Working:

When planning for an event that may potentially disrupt the delivery of Trust critical services, did you know that you can discuss it with the emergency planning team who will support with ensuring that relevant stakeholders are warned and informed about your contingency arrangements during the disruptive period.  

If you would like to discuss any of the incident responses or you have identified any lessons from business continuity incidents that others could learn from, please email: Emergency.Planning@merseycare.nhs.uk

Planning any maintenance works that might cause disruption to services?

When maintenance work takes place there is always the potential that it might impact on systems or equipment which may disrupt the delivery of services. When planning maintenance work the right people need to be notified at least 14 days in advance of the works to make sure there is time to consider the any impact and risks and plan associated contingencies. Divisional contacts are as follows:

Do you notify your Operational (Bronze) On Call Manager when Business Continuity Incidents Occur?

When an incident occurs in your team which affects the delivery of patient services and could cause potential harm to patients, staff or which may come to the attention of the media, please notify your Operational (Bronze) On Call Manager so they can offer support and consider if the incident needs to be escalated through to the Tactical (Silver) On Call Manager for further support. 

Do you have any critical equipment/systems that you rely on to deliver an essential service?

Do you have critical equipment, including telephone linesor systems, that are essential to providing a service to patients?

What would you do if the phone line or equipment suddenly failed? How would you carry on with the critical service?

Have a think about any critical equipment you are reliant on and whether there is a contingency action card in place in the event of failure. If you don’t have one, consider how you would continue to deliver that service in the event of failure and add the action card to your local business continuity plan.

If you need more advice on how to complete a business continuity plan for your service, come and join an informal Business Continuity Workshop. Further details are avaliable on YourSpace.

Planning for Industrial Action:

We have refined our response to industrial action, be it RCN, GMB, Northwest Ambulance Service or Junior Doctors.  Key Learning is as follows:

  • Joint planning with the Trade Unions is essential
  • Any derogation requests need to be agreed sooner rather than later
  • A clinical cell with a Doctor available for advice was found to be helpful in offering support during ambulance delays
  • Industrial action planning meetings were essential and should be established early in the planning stages
  • Staff found timely communication updates helpful
  • Ensuring there are split shifts for on call managers and those responding to the incidents.

Good practice

  • Teamwork - During every incident debrief, collaboration and support provided by staff responding to each incident has been a key theme, which really does make the whole process much easier. 

  • Creating Teams Channels during impacting works -  During recent IT works, an Microsoft Teams channel was set up for On Call Managers so that IT colleagues could provide live updates on progress. The On Call Managers found this very helpful and enabled the impact and risks to be managed safely. 

  • Giga Cubes – A silent contingency - In the event of a network failure, the GigaCube (a portable wireless router that transforms 4G and 5G networks into WiFi)  will provide mobile wireless internet access, allowing the Trust laptops to continue to access IT systems such as EPMA (electronic prescribing system). Informatics Merseyside currently have a rolling program to deploy GigaCubes across the Trust in order to enhance network resilience. Once they are implemented in your building, don’t forget to reference them in your business continuity action card for loss of IT.

 

Industrial action

Our response to the recent series of Industrial Action Days has been well managed by planning and preparation in the clinical divisions supported by an internal strategic (gold) command structure with timely communications and informative questions (FAQs).

Learning:

  • Situation reports were required to provide the Integrated Care Board (ICB) with information during industrial action. These could have been shared by the ICB with the Trust earlier to ensure information can be prepared in a timely way for submission back to the ICB
  • Improved understanding of where the communications team should forward relevant information to eg. to new strategic coordination centre (SCC) inbox
  • The Royal College of Nursing (RCN), as part of their nationally agreed process, asked the Trust to complete derogation forms to request exemptions for staff to work whilst supporting industrial action to maintain patient safety and safe staffing. Some derogation outcomes were received late from the RCN impacting on the Trust’s ability to communicate these to staff. It was agreed by the Trust and the RCN that meetings to discuss and agree derogations should have started earlier
  • The RCN Strike Committee would have benefited from the Trust providing them with an overview describing the role, function and location of each of its services
  • It would be helpful if the derogation form templates are simplified to ensure that the interpretation of the information required in relation to staffing numbers is consistent across all Services.

Lost network connection

On 23 November 2022 4pm, through network monitoring, Informatics Merseyside was made aware that several sites had lost network connectivity. This was due to a fault with third party suppliers, Virgin Media.

Learning:

  • Strategic (gold) and tactical (silver) on call managers will be telephoned by switchboard if they need to join Microsoft (MS) Teams meetings; the time of the incident, 5pm to 6pm meant not all staff were active on emails at the time
  • GigaCubes (portable wireless routers) will be installed across the Trust, in areas which don’t currently have them, as part of business continuity plans, this will enable internet connectivity for access to electronic patient records and the Electronic Prescribing Medicines Administration (EPMA) system.

Fire at another trust

On 10 August 2022 a major incident was declared due to a fire at Aintree Hospital Accident and Emergency Department.  The Trust’s internal operational (bronze), tactical (silver) and strategic (gold) on call management escalation process worked well, and the Trust’s strategic (gold) on call manager ensured the deputy chief executive of clinical services and chief nurse was briefed throughout the incident response period.

Good Practice:

  • Mental Health Care division placed nurse co-ordinators at the other responding hospitals to help manage and minimise the impact on their services
  • The Trust process for co-ordinating incident response meetings and recording actions/ decisions was well received by strategic (gold) command

Learning:

  • It is important to make sure that the correct Mersey Care managers are notified of an emerging incident in a local hospital in a timely manner
  • It is beneficial to have a defined and agreed system wide process for informing Trust on-call managers of an incident happening in another Trust
  • The strategic (gold) on call manager would benefit from being invited to the relevant ICB/NHS England (NHSE) incident response meetings
  • It is imperative that communications on call is notified when an incident is emerging / occurs, in hours and out of hours.

Disruption to phlebotomy supplies

During the period 1 to 11 August 2022 the Trust was made aware of disruptions to the availability of essential phlebotomy supplies.

Good practice:

  • Based on previous incidents of this nature, the Trust was able to confirm the stock levels required to meet demand, using business intelligence team analysis.  This enabled a forecast of how many appointments the Trust could undertake and plan accordingly
  • Due to learning from previous similar incidents, the clinical divisions had up to date knowledge of stock levels and activity per team and were able gather the information quickly.

Learning:

  • It was identified that supplier contracts were long standing and needed to be reviewed to ensure stock is readily available
  • Actions have now been put in place for stock to be ordered centrally, allowing for robust monitoring of stock numbers and delivery dates
  • It was noted that having one person or driver managing the distribution was not sustainable and going forward this would be taken into consideration to develop and improved process
  • It would be helpful if a list of affected teams is created in the event of a similar incident occurring, to ensure a timely and collaborative incident response.

 

If you would like to discuss any of the incident responses or learning contained within this update, please email Emergency.Planning@merseycare.nhs.uk

If you would like to discuss any of the incident responses or learning contained within these bulletins, please emailcEmergency.Planning@merseycare.nhs.uk