Multiple NHS trusts across England disrupted by ransomware attack
- 12 May 2017
Multiple hospitals across England have been hit by a large-scale ransomware attack on Friday afternoon, with trusts having to switch off their systems.
The NHS is believed to have been hit by a ransomware variant called ‘WanaDecrypter’ which has also hit Spanish telco Telefonica and many other organisations across Europe today. This malware exploits a vulnerability in the Windows malware detection service.
NHS Digital have confirmed an investigation is on-going, and that it is working with NHS England, Department of Health and the National Cyber Security Centre.
“At this stage we do not have any evidence that patient data has been accessed”, a spokesperson said, “we will continue to work with affected organisations to confirm this”.
Sources told Digital Health News that there was a major N3 cyber security issue on Friday with a number of trusts offline and some localities turning off their full networks, and social media reaction suggests it happened from around 1:30pm.
NHS Digital have confirmed 16 NHS organisations across England have been affected – no names have been disclosed from NHS Digital, however the media has reported East and North Hertfordshire NHS Trust, University Hospitals of Morecambe Bay NHS Foundation Trust and Torbay and South Devon NHS Foundation Trust have been hit. The (hashtag) #nhscyberattack is currently trending on Twitter.
Barts Health NHS Trust, the largest trust in the country, have also been hit by a “major IT disruption”. Ambulances have been diverted, and routine appointments have been cancelled, and the trust has asked the public to use other NHS services wherever possible.
In a statement, the trust said a major incident plan has been activated.
George Elliott Hospital NHS Trust confirmed that it had been hit and that its systems were down.
Trust spokesman James Turner, said: “We are currently dealing with a suspected cyber-attack which has resulted in a shutdown of a number of our IT systems. We have implemented our contingency plans and we continue to provide services in A& E and essential services elsewhere.
“We do ask that patients only use A&E in an emergency and to contact NHS 11 for non-urgent advice. In order to ensure we maintain quality and patient safety, we have had to cancel a number of Out Patient appointments and are operating a limited radiology service.
“We apologise to patients. We are working hard to resolve the issue as soon as possible.”
Sources indicate that Blackpool Teaching Hospitals NHS Foundation Trust and East Lancashire Hospitals NHS Trust have also been affected.
A spokeswoman at North Cumbria University Hospitals NHS Trust confirmed that the trust had been impacted this afternoon, but referred all other queries had to be forwarded to NHS Digital.
On the bitcoin address associated with the malware a payment of $266.23 had been added today.
The Patients Associations’ response to the attack on Friday afternoon was: “We should be clear that the responsibility for today’s apparently extensive attack on NHS IT systems, and for any harm that occurs to patients as a result, lies with the criminals who have perpetrated it”.
“From reports so far, the attack appears to have been highly co-ordinated and aggressive, and a police investigation will no doubt be required.”
Joe McDonald, chair of the CCIO network urged NHS CCIOs, CIOs and other digital leaders to join colleagues already sharing information online on how best to respond to the attack.
East and North Hertfordshire NHS Trust released a statement saying it had to shut down its IT systems.
“Immediately on discovery of the problem, the trust acted to protect its IT systems by shutting them down; it also meant that the trust’s telephone system is not able to accept incoming calls.”
“The trust is postponing all non-urgent activity for today and is asking people not to come to A&E – please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency.”
This is a developing story.
Twitter reactions:
We're aware of an IT issue affecting NHS computer systems. Please do not attend A&E unless it's an emergency. Thank you for your patience.
— NHS Mid Essex CCG (@MidEssexCCG) May 12, 2017
Major IT issues are causing delays at our hospitals. Please use other services if possible. More information at https://t.co/3vfPLyfTvD
— Barts Health (@NHSBartsHealth) May 12, 2017
All shut down in Yorkshire-even in GP practice. Back to handwriting notes while seeing patients without full histories! #nhscyberattack
— Chris Maguire (@chris_magz) May 12, 2017
https://twitter.com/BellBells41/status/863055542406795265
whoever is responsible for the cyber attack on the NHS should be hunted down and thrown in prison.
Parasites.#nhscyberattack— Stuart Kelly (@S_E_Kelly) May 12, 2017
https://twitter.com/m_habbershaw/status/863055218589696000
https://twitter.com/samgadjones/status/863048431069167616
https://twitter.com/Saif_Abed/status/863058840014794752
Massive NHS hack cyber attack today. Hospital in shut down. Thanks for delaying emergency patient care & endangering lives. Assholes.
— B (@brobertson2010) May 12, 2017
WHO THE HELL CYBER ATTACKS HOSPITALS?!?! What a pathetic set of people. Crawl back into whatever swamp you came from… #NHS #CyberAttack
— Russell 🏳️🌈 (@Medic_Russell) May 12, 2017
Friend who works in NHS is reporting a massive cyber attack on NHS, everyone shutting everything down. Loads of trusts hit. #NHS
— Jen Barbery (@Jen_Barbery) May 12, 2017
32 Comments
Tha majority of Barts Health machines are using Windows XP!!! This is the fourth time their security has been breached in the past five years.
Surely a good time to consider open source solutions and ween the NHS off MS tech. Cheaper and more stable.
That would a an odd knee jerk reaction as it is the security management regime at fault here.
How about get everyone off home brewed IT solutions and on to NHS.net mail to try and close the door on how this sort of thing starts?
Then an urgent review of those who self certified to IGSoC Level to that they had a proper security management processes and a patch routine.
Perhaps a Cisco CCNA 101 on why it isn’t sensible to have every computer on every subnet talking to every other computer on all ports and protocols?
This sort of thing can be stopped in it’s track without having to rip and replace and start over because the IT department needs to look useful.
Security and configuration management doesn’t care if you are open source or not and neither does a hacker.
nothing wrong with MS tech or other tech, the NHS was and continues to use XP !!!
please do not implicate the IT suppliers in this mess !
Whilst attractive in theory, in that there are fewer malware variants targeting Linux, the list of Linux vulnerabilities is still a long one.
See https://www.cvedetails.com/vendor/33/Linux.html for details.
On the plus side, they are generally found and patched quickly, and there is no extortionate fee for Microsoft to support older OSs that are not included in patch updates. We can leave Jeremy Hunt’s decision not to pay MS for another time..
Many Linux distros are not free (Red Hat, Suse etc) but the license costs are a fraction of what we pay to Microsoft. If your IT techs know and understand Linux, you can use perfectly good free distros such as CentOS and Ubuntu. CentOS is essentially RedHat without the support. Not sure what distro they use on the spine, but they have taken a bold step that we need to learn from. If you want to support open platforms in the NHS, have a look at this : http://rippleosi.org/open-digital-platform-challenge-fund.
We also need to support this : https://nhsbuntu.org
Totally agree with Mark.
Even those organisations that could afford to fund the deployment costs to move from XP to Windows 7 were left with the “professional” version, which microsoft has mercilessly withdrawn core management features from (e.g. group policy features)
The end of the EWA left organisations stuck on an edition of software that no longer has the core features required for management of primary user interface (I.e. Windows).
As for third party suppliers and there intransigence to support latest OS and more importantly platform (e.g. java, .NET) mandatory security updates….
There are a lot of mercenary enterprises taking advantage of the NHSs inability to mandate and coordinate the required policies on suppliers which would at least give the underfunded and underappreciated IT functions the ability to provide the service they so desperately wsnt to.
I think I’ve found the root cause : “Not invented here syndrome”.
Of all the NHS organisations effected so far the majority are not using @NHS.net email.
Working in the NHS as an IT Lead, my trust to date has not been affected, we have managed to to this by a focus on our perimeter security and then working back to the desktop. This is then followed up by lots of IG Security pop ups and finally upgrading (painfully) windows XP to windows 7….however….the issue is only short lived.
Some suppliers still do not support XP on the version of software we have and only a forklift upgrade to a new server based version at twice the cost will make us compliant.
NHS Digital have to take a lead on this and enforce standards for us locally to be able to use, if you want to sell a product into the NHS then 1. it must be compliant with currently supported OS and 2 it must remain compliant with the latest version, not being held to ransom to upgrade to keep inline with the latest Win OS.
The issue is short lived as a number of us are on the old MS EWA and to procure a MS EWA locally is expensive, NHS D must for me, step in and provide another MS EWA as i am sure the disruption and political fall out will cost more. Introduce a NHS MS EWA
, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.
If large organisations with a smaller budget then the NHS can comply….why is we cannot!!
The current govt I not allowing trusts to invest in upgrading systems and therefore security, money that had been budgeted has been withdrawn to cover the shortfall and balance the books. The real people to blame for this are the bean counters in government who report failures in targets not the 100s of extra patients treated. The NHS is victim to multiple parasites.
The ONLY way to stop these type of attacks is to outlaw bitcoin and other cyber money. The only reason these ransom ware attacks can work is if the attackers can stay anonymous. They can hardly open a bank account nor turn up at each victims address asking for cash without being exposed.
Cyber money is behind much of the current e fraud and crime.
I have said on many occasions that there is no point in having part of the NHS hyper-protected, whilst leaving vulnerabilties in other areas. We need a determined effort to remove out of date operating systems; ensure that automatic upgrades of Windows software can be performed safely throughout the entire estate (i.e that no NHS software requires antiquated versions of Windows in order to run); that upgrades ARE automatically performed; and above all, ensure that hard-pressed staff have time to think, so that they don’t automatically click on attachments which turn out to be malicious.
THIS ALL COSTS MONEY – and it MUST be made available, without fail, across the entire NHS.
Strange to say, I have the sneaking feeling that it’s the last of these conditions which will be the hardest to implement — ensure that staff have time to think before clicking, rather than being so overwhelmed with work that they forget in the heat of the moment. Across the entire NHS, that’s going to produce a very big bill indeed.
It’s getting control of IT NOW that counts, getting control of IT would lead to improved efficiency, freeing up money.
Have seen multiple highly suspicious @nhs.net emails hitting my Inbox over the last few months. Have reported every one of them to helpdesk@nhs.net and had automated replies telling me to “delete them”. It was just a matter of time before one of them got opened and managed to deliver its payload. I wonder if we will ever be able to mitigate this kind of threat effectively.
Looks like this whole thing could’ve been avoided if local IT managers were keeping up to date with MS patches
I don’t think that’;s accurate. It’s widespread across mulitple sectors.
My understanding is it is effecting end terminals and locally networked machines. It’s not likely to affect clinical systems, except for not being able to use it because your computer doesn’t work.
So it’s likely that e.g. all clinical records are in fact untouched. If the record is held on the server of the third party
Trying to think how an attack like this starts. User opens dodgy document, malware is on local machine. How does malware get onto the N3 network. Does it do so directly or through a system on the machine which accesses N3 with a flawed security mechanism?
A prediction we made in Australia when looking at Health IT is that there will be a number of major ‘airplane crashes’ before the problem is fully recognised and appropriate resources applied. Hopefully this is not one them.
I think this will likely be of such sufficient scale it could be the proof required that security is not where it should be across local IT systems.
I think your article should read “to NOT open any attachments”, rather than to now open attachments …..
N3 is a commercial network available to NHS Trusts and supporting (commercial) third party organisations. Its level of inherent security is the same as that of any IP network. Its up to the consumers of network services to secure their connections, just like the Internet. Looks like Trusts have failed in this obligation.
An NHS Digital advisory statement warned that a ransomware attack was ongoing and advised users to now open any attachments.
typeo
Literally as we announce some Cyber Security and GDPR sessions in Preston and Lancaster this breaks. Anyone and everyone is a target.
At least you are talking about GDPR half the NHS doesn’t know about it let alone know what to do about it!
The N3 network is as secure as a sieve. One of the biggest complaints I had when working for an organisation that provided IT services to primary health was that the misconception that N3 was secure was it’s single largest vulnerability. The biggest problem being that because the N3 network was incorrectly assumed to be inherently secure there was very little, if any, appropriate mitigation taken by individual organisations to secure themselves from other organisations also on the N3 network. Once you are ‘in’ the N3 network it’s trivial to move from organisation to organisation, planting backdoors, leaving malware and stealing data.
An attack such as this was an inevitability given the underlying issues with the infrastructure and approach to security. I would add that although more resources would help with regards to IT security, the primary issues are cultural and a lack of appropriately skilled staff in the right areas.
Sadly, the weakest link is someone opening a Word document called Receipt.doc. Bleep Bloop. All your base are belong to us.
MS17-010 was patched back in March. Even when you have legacy systems you lock them down and firewall them from other lines of business. The weakest link is probably a sloppy IT department.
Doesn’t need users to open an attachment, just browse onto an infected webpage. You would be surprised how many third party business legitimate webpages carry malware. Firewalls won’t help as standard web browsing traffic is allowed through any firewalll. Once a machine behind the firewall is infected the worm looks for all machines connected to that machine to see whether there is an unpatched machine. If so these are immediately infected without further user intervention. Therefore once this worm got behind a firewall in any NHS organisation, all trusts or surgeries connected on a network would be vulnerable. The answer is a full inventory of all machines so that patching occurs completely and without exception. High importance out of band patches must be applied quickly and without exception. Legacy operating systems such as XP must either be retired, or if retained extended support must be purchased from Microsoft to ensure security patches are still available. Not rocket science just good old fashioned disciplined housekeeping which many would find boring.
thought N3 was supposed to be the bees knees and secure. old technology again no doubt.
A popular misconception. N3 is just network infrastructure but it is connected to the internet and their are many many bridges to the internet some of which are accidental . NHS security makes Swiss cheese look like a wholesome block of cheddar.
What I don’t quite understand is how it has been distributed so widely. Is it just a common human weakness or something more sophisticated?
Thanks goodness I make subject access requests and try to get copies of all my data.
Firstly it is not targeted at the NHS solely. Many others worldwide impacted. Secondly, the malware is a self replicating worm, which is why it spreads aggressively. No user intervention required for replication.
Comments are closed.