show image

NHS email blunder has highlighted the perils of human error

So yesterday we led in with a story that had an amusing side to it but was actually serious. Likewise today we’re reporting on the email blunder that led the NHS into near-paralysis yesterday.

Let’s stress before we go any further than the illustrations are intended as random hospital pictures and there is no suggestion that these institutions were responsible for what happened.

The error was perfectly simple: someone put an email together, hit “send” but accidentally hit “send to all” rather than just to one other colleague or group of colleagues. So on Monday morning they sent an email to 840,000 of their co-workers.

Compounding the error

It got slightly worse after that, as at least 54 people hit “reply all” asking to be taken off the list. Dan Sloshberg, Cyber Resiliency Expert at email security company Mimecast, suggested that there were security implications: “Today’s growing dependence on email communication means that if email servers go down, there is a huge impact on employee productivity. This NHS email overload highlights that human or technical error is unavoidable and organisations must plan accordingly.

“Organisations need a cyber resilience strategy to ensure productivity is not lost and employees can continue working even when an incident occurs – whether it was caused by external cybercriminals or unintended internal errors.”

To which the answer is: yes, kind of. However, the glaring issue about yesterday’s incident is that it should never have happened.

Physician, heal thyself

New Statesman Tech writes a lot about people using their own technology at work. The good thing about this is that it minimises the need for training; the bad thing is that it can lead people to believe they know how, say, an email system works because they’ve always used it in such and such a way.

So they hit “send all” by accident or hit “reply all” as a reflex. Two things could have intercepted these things. First, better briefings; people need to be aware that if someone sends an email in error then “reply all” is unacceptable. Replying to a single sender is sufficient.

The second thing is some sort of automated warning system. It can’t be beyond the wit of a developer within the NHS to write some sort of software routine in which 50 or more users sending to 840,000 people within an hour triggers some sort of alarm. Or indeed, a simple check: a dialogue box saying “You are about to send this to 840,000 people, is this what you intended?” or words to that effect would probably have eliminated a lot of the second issue.

New Statesman Tech looks forward to not having to report on this sort of error ever again.