The NHS was the highest-profile victim of a global ransomware attack on 12 May, which resulted in practices being shut down, operations being cancelled and GP documents such as patient records being unavailable in England and Scotland.
The National Cyber Security Centre (NCSC) worked ‘round the clock’ to bring systems back online after computers in GPs’ surgeries and hospitals were hit by malware that blocked access to any files on a PC until a ransom was paid.
The ransom message read: ‘Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
‘You only have three days to submit the payment. After that, the price will be doubled. Also, if you don’t pay in seven days, you won’t be able to recover your files forever.’
NHS computers received the pop-up message demanding the $300 (£233) per device ransom in Bitcoin in exchange for access to the PCs. Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down. Staff were forced to use pen and paper and their mobile phones instead.
The attack, believed to have been launched from North Korea, affected NHS computers after an email attachment with the ransomware was opened. Health practitioners were told to shut down their computers, take out network cables and unplug their phones. Patients were still being diverted from some NHS services six days later.
Europol, the EU’s law enforcement agency, called the cyber-attack the ‘largest ransomware attack observed in history’ and Microsoft described the incident as a ‘wake-up call’.
The NHS has faced renewed concern about the strength of its digital infrastructure, after it was revealed that of the 1.5 million connected devices across NHS England, about 70,000 were running Windows XP, a 15-year-old operating system. Microsoft stopped providing security updates for Windows XP in April 2014.
The unprecedented attack, using software called WanaCrypt0r 2.0 or WannaCry, exploited a vulnerability in Windows. Microsoft released a software update for the flaw in March, but computers that had not installed the security update or were using an old operating system were left vulnerable.
The Patients Association said: ‘It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems.’
In May 2015, the Government stopped paying Microsoft for extended Windows XP support, which at the time cost £5.5m.
In February 2016, the Department of Health transferred £950m of its £4.6bn budget for capital projects, such as building works and IT, to revenue budgets to fund the day-to-day activities of NHS bodies.
The shadow health secretary, Jonathan Ashworth, urged the Government to be ‘clear about what’s happened’, describing the attack as ‘terrible news and a real worry for patients’.
Prime Minister Theresa May said: ‘This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected.’
The same malicious software that hit NHS networks attacked some of the largest companies in Russia, Ukraine, Taiwan, Spain and Portugal, including Telefónica, Renault and FedEx. In Germany, railway operator Deutsche Bahn was a high-profile target, with screens at stations showing the ransonware message.
Kaspersky Lab, a cybersecurity company based in Moscow, estimated that 45,000 attacks had been carried out in 99 countries, mostly in Russia, but suggested that the totals could be ‘much, much higher’.
Shortly after the attack began, a 22-year-old web security researcher from Devon known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak after three days.
The Chartered Institute of IT, the Patients Association and the Royal College of Nursing joined forces with Microsoft to produce an outline of the steps NHS trusts should take to avoid another crippling cyber-attack. This included increasing the number of qualified and registered IT professionals and ensuring there are clearly laid out standards for accrediting them.
The NHS contract has now been changed so that NHS organisations are formally required to adopt data security standards as recommended by the independent National Data Guardian for Health and Care, including security training for staff, reviews of processes, and extensive contingency plans to respond to threats to data security.
Last year the Government established the National Cyber Security Centre to spearhead the country’s digital defences. In the six months before February, the centre blocked 34,550 potential attacks targeting UK government departments and members of the public.
On 12 July, the Government announced that investment in data and cyber security will be boosted above £50m and include a new £21m capital fund for major trauma centres. This is part of its response to reviews and consultation feedback after April’s attack. The Government accepted the recommendations in both the National Data Guardian and Care Quality Commission reviews.
To strengthen the safeguarding of information, the National Data Guardian will be given statutory footing by May 2018. Stronger sanctions will also be introduced to protect anonymised data, including severe penalties for negligent or deliberate re-identification of anonymous individuals. The Government also announced plans to:
- Give patients and the public more control over their personal data.
- Build confidence in the importance of secure data to provide better individual care and treatment.
- Support research and planning across the health system.
To mitigate the immediate risks to cyber security, NHS Digital is now supporting local organisations by broadcasting alerts about cyber threats and carrying out on-site assessments.
It has also created an incident hotline.
The Government is now working to determine the fastest and most cost-effective way to support the NHS to move from unsupported operating systems, including Windows XP.
Health minister Lord O’Shaughnessy said: ‘Only by leading cultural change and backing organisations to drive up security standards can we build the resilience the NHS needs in the face of
a global threat.’
Professor Helen Stokes-Lampard, Chair of the Royal College of GPs, responded: ‘The cyber-attack in April was a wake-up call to many of us about the fragility of the IT systems we are using, not just to keep our patients’ data safe, but to keep our surgeries functioning.
‘We also welcome a phased approach to a transparent national opt-out scheme for data and information sharing. Sharing of patient data between healthcare professionals can result in faster and more integrated care. There are also significant benefits, particularly for research, to sharing properly anonymised patient data on a large scale with research bodies.’
Dr Stokes-Lampard called for any new requirements for general practice to be ‘fully funded’ by the NHS.
How can you protect yourself?
If you receive a demand for a ransom, there is no guarantee that access will be granted after payment.
With advanced anti-virus software, it is possible to remove the virus from the computer. You can also do this manually by putting the computer into safe mode’ and deleting the infected files. However, prevention remains the best form of defence.
Security experts say users should ensure their computer software is always up to date. Often, important security updates are contained in these downloads and can prevent known viruses from infecting a device.
Users should also be vigilant about email and not open any links or download attachments from unfamiliar or suspicious sources.
Experts also warn that software, apps and other programs should never be downloaded from unofficial sources as this is another common method for hackers to secretly install malware.
Pete Turner from cyber security firm Avast said: ‘It’s critical that organisations and employees, particularly those in our most critical sectors like healthcare, start to think pro-actively about how to protect themselves from ransomware.’