NHS Crippled With Ransomware Attack

Between 40 to 48 NHS organisatOn Friday 13th May between 40 to 48 NHS organisations plus hundreds of GP Practices and walk-in clinics across the entire country went into a lock down mode due to a major “ransomware” cyber attack. Reports suggest that this was part of a global attack which is believed to have hit 74 countries.

NHS Digital, which was formally re-branded from the “Health and Social Care Information Centre” is the principle authority dealing with data security in the public sector healthcare community. As of the time of writing, NHS Digital state on their website in the briefest of notices, considering the size of the attack. “…. We are providing guidance on the cyber attack …… if you have any questions ….. please contact your organisation’s IT helpdesk” . The statement then goes on to say “…. If you are an IT manager and (you) require further information please contact NHS Digital on carecert@nhsdigital.nhs….”

The authority that is responsible for providing IT security issued out warnings to NHS organisations and GP practises to shut down systems and make them inaccessible and yet somewhat ironically is advising Healthcare professionals to continue to communicate via email with an NHS address.

NHS Digital acknowledged that there had been an attack, but affirmed, that there was NO evidence that patient data had been accessed. Nothing more was stated thereby suggesting to the general public that the IT Authority had somehow saved the day. Nothing could be further from the truth.

Hospitals across the country were shutting down their A&E units. Emergency patients were being diverted, operations and other procedures were cancelled and patients were advised not to come to hospitals and to call the NHS 111 service instead.

Home Secretary Amber Rudd slammed NHS hospitals for failing to update their computer systems and for failing to implement adequate safeguards in spite of numerous warnings of an imminent ransomware attacks against the NHS.

In point of fact over the past 12 months dozens of NHS Hospitals have been targeted by cyber blackmailers who probed the soft or non-existent security systems in NHS institutions. Time after time senior medical staff have warned that the NHS with its antiquated IT platforms are especially vulnerable with reference to patient records as well as locking down hospitals operating systems.

All of this was heavily underscored when hackers locked down Hollywood Presbyterian Medical Centre in Los Angeles last year and it was only when the hospital paid a $17,000 ransom demand, ten days later, that their system was restored.

Given the the highly sensitive nature of this issue Trusts have been reluctant to discuss any ransomeware incidents and they have in the past refused to reveal whether any monies have been paid. But records obtained last year under the Freedom of Information rules shows that at least 40 NHS hospitals were victims of “ransomware” attacks and while most claimed that they paid no ransom at least ten declined to answer the question and at least two admitted that some money was paid.

The Government announced ten months ago that £1.9 billion had been set aside to enhance cyber security in the UK and a new National Cyber Security Centre (NCSC) has been set up to lead the fight against cyber gangs, criminal groups and foreign states. Ciaran Martin has been appointed as the Chief Executive Officer of NCSC along with Dr Ian Levy who has been appointed as the Technical Director.

Now while the desire and commitment to provide an aggressive response to all cyber attacks seem to be in place nothing concrete has been done to date to shore up essential cyber security platforms . In point of fact 68% of all NHS hospitals and over 45% of private hospitals have NOT implemented any new cyber protection systems and to make matters worse the head of NHS Digital has downplayed the seriousness of the current attacks labelling them as “insignificant at this time ….. more of a nuisance then a real data threat”.

There are however, a number of very serious problems that exist that cannot be labelled a mere inconvenience. A hospital which must close because the IT systems has been hacked , puts patients lives at risk and Hospital Directors who have been warned about the problems could face serious criminal charges of reckless endangerment if they fail to act.

Leading IT consultants who have worked at some of the UK’s world renowned hospitals to assess security and vulnerability have been unanimous in saying that IT failures, outdated software and outdated security certificates render the majority of hospitals as weak and non-protected.

Moreover this blatant short-sightedness could create a mountain of lawsuits which would be completely devastating to a healthcare system that is already financially on the brink.

NHS and private hospitals and clinics and the new GP federations are being advised in confidence to put their houses in order rather then wait for a major catastrophe to occur.