NHS cyber-attack: UK hospitals and GPs hit by widespread ransomware attack

The NHS has been hit by a major ransomware attack, shutting down multiple hospital IT systems across England and Scotland. NHS digital has issued an official statement, saying that an investigation is “at an early stage”, but that it believes the cyber-attack has not specifically targeted health services.

According to the statement, the NHS currently believes the malware variant is ‘Wanna Decryptor’, and that they currently have no evidence of patient files being accessed. The attack is apparently affecting “organisations from across a range of sectors”. There have been reports of similar ransomware attacks affecting Telefonica in Spain, as well as in Italy, Portugal, Russia, Vietnam, Kazakhstan and Taiwan.   

Hospital trusts across the country have been caught up in the incident, with doctors and other staff sharing further details on Twitter. One screenshot suggested the ransomware is demanding $300 in bitcoin to decrypt files, with the price doubling after three days. 

Amongst the hospitals reportedly affected are East and North Hertfordshire NHS trust, Blackpool teaching hospital NHS foundation trust, Barts Heath

 in London and Essex Partnership University NHS trusts. GP surgeries across Liverpool and parts of Greater Manchester are also reporting issues. The Scotsman is reporting that GP surgeries in Dumfries and Galloway have been affected by the virus. The NHS in Wales has confirmed it has a separate IT system, and that this doesn’t seem to have been affected by the attack.

According to the NHS, 16 of its organisations have been affected by the issue as of 15.30. 

“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls,” a spokesperson from the East and North Hertfordshire NHS trust said in a statement. “The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS 111 for urgent medical advice or 999 if it is a life-threatening emergency.”

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need,” it added.

A number of local NHS websites are currently down, including those for Liverpool. According to The Guardian, one Liverpool GP, John Caldwell, said he had “no access to record systems or results”.

Blackpool Hospitals tweeted that it was having “issues with our computer system”, asking people not to come to A&E unless it’s an emergency.

Malware problem

Although the investigation is ongoing, the suggestion that the problem is the cause of malware rather than a targeted attack will raise questions about NHS security provisions.

A number of security experts have warned about the need for improved security to match the increase of interconnected devises in hospitals. “As we get more tech in health, especially wearables and connected devices, then the amount of data generated increases as security decreases,” Miller Newton, CEO of encryption company PKWARE told me in 2016. “I would be surprised if there isn’t an increase in the successful attacks on our healthcare systems as the year progresses.”

Law firm Kemp Little’s head of data protection and privacy, Nicola Fulford, has called the attach a “stark reminder” about security vulnerability: “Whilst the facts are still be fully known, it seems likely that critical healthcare functions have been impacted by cybersecurity issues in the UK with potentially huge and life threatening consequences. The importance of cybersecurity cannot be underestimated in the modern world.  While a connected world means absolute security is likely to be impossible, this is a stark reminder that everything is potentially vulnerable – and every business has a responsibility at some level under the law to protect against it even if absolute prevention is impossible.“

Commenting on today’s attack, Fabien Libeau, Technical Director at RiskIQ, said that the attack was a sign that healthcare institutions needed to adopt a more proactive approach to digital security:

“Although it is not yet clear how the infrastructure has been accessed, we have seen in previous cases that there are many points of entry currently leaving the data and infrastructure of the UK’s trusts vulnerable to cybercrime,” said Libreau. “This includes exposed frameworks and servers, vulnerable links with unsecure remote logins, and company domains due to expire imminently. Only by continuously monitoring the external attack surface can NHS organisations begin to detect and implement the right security measures to protect itself and patients against increasingly sophisticated attacks.”