CYBER CRIME: The hidden threat to us all

The cyber attack which crippled the NHS revealed the chaos that can be caused by computer hackers.

By The Newsroom
Monday, 24th July 2017, 10:13 am
Updated Monday, 11th September 2017, 12:45 pm
Blackpool Victoria Hospital
Blackpool Victoria Hospital

The Johnston Press Investigations Team has uncovered some never before disclosed information about the NHS cyber attacks.

AASMA DAY looks at the repercussions at hospital trusts in Lancashire.

The cyber attack that infected thousands of NHS computers in Lancashire and forced appointments to be cancelled was not a one-off.

A ‘very small number’ of cancelled procedures were in Blackpool, although neighbouring NHS trusts were much harder hit.

On Saturday, The Gazette revealed a sharp rise in cyber attacks in the county and today we look at how online criminals are targeting the health service.

The Johnston Press Investigations Unit submitted Freedom of Information requests to NHS hospital trusts throughout the country before the NHS WannaCry occurred asking them about cyber attacks to their organisation.

Blackpool Teaching Hospitals NHS Foundation Trust refused the request for information about attempted and successful cyber attacks citing safeguarding national security and prevention and detection of crime – however responses from nearby trusts reveal the scale of the threat facing the NHS.

Cybercrime series - cybercrime and the NHS

A spokesman said: “If disclosed, this information could be used to identify ways of breaching our trust’s IT security which would thereby put us at increased risk of cyber attack.

“This would potentially put invaluable patient and staff data at risk which the trust has a legal duty to protect under the Data Protection Act and other confidential data which is essential to the running of trust services.”

However the trust stressed the impact of May’s WannaCry attack was limited.

A spokesman said: “Staff at Blackpool Teaching Hospitals worked tirelessly to provide safe and effective care following the ransomware attack which began on Friday May 12.

Cybercrime series - cybercrime and the NHS

“IT staff worked round the clock that weekend within the acute hospital, community settings and GP surgeries to restore systems to allow the service to continue to operate.

“On Saturday May 13, it was necessary to cancel a very small number of procedures and these patients were rescheduled. Emergency services were not compromised at any time.

“Not all systems were affected by the malware and we focussed on restoring those that were as quickly as possible.

“At no time was there any risk to patient safety as Blackpool Teaching Hospitals has a robust business continuity system.”

It has previously been reported that 1,217 computers were affected across the Fylde coast – 996 of them at the hospital. This figure includes those taken offline as a precaution as well as those infected by the ransomware. Lancashire Teaching Hospitals NHS Foundation Trust also refused the FOI request as they felt it was exempt as it could or be likely to, prejudice the prevention or detection of crime.

It also felt the information could be exploited for the purposes of ransomware, other malware, or to withhold and disrupt IT functionality within the trust and assist criminal offenders, seriously threatening the effective delivery of healthcare by the trust.

However, the trust has since revealed the information surrounding the aftermath of the WannaCry attack.

Around 3,000 computers at the Royal Preston and Chorley and South Ribble Hospitals were infected.

Lancashire Teaching Hospitals also disclosed that 441 procedures and appointments were affected but ‘were quickly re-arranged’.

Paul Havey, deputy chief executive at the trust, said: “We have taken steps to try to safeguard against any possible future risk and have further strengthened the cyber security suite that we have in place.

“We continue to work with NHS Digital to ensure that we follow any national guidance as and when it becomes available.

“Our staff worked around the clock to restore our systems as quickly as possible to ensure our services continued to run effectively and safely for our patients.” The Wrightington, Wigan and Leigh NHS Foundation Trust said it was targeted with 25,160 attempted attacks in 2015/16, followed by 60,570 in 2016/17 and a further 465 so far this year.

It confirmed the attacks were a mixture of standard malware and ransomware attempts.

But with no data lost, not a single one of the attacks was reported to police.

Six ransomware attacks took place on the University Hospitals of Morecambe Bay NHS Foundation Trust in the past three years, in which ‘data shared on individuals’ networks or shared drives was encrypted, which we restored from back up’. These incidents were reported by the trust to NHS Digital.

The Southport and Ormskirk Hospital NHS Trust confirmed it cancelled 42 operations and 3,047 appointments with the re-arranged appointments due to run until the end of this month.

A spokesman for the trust said: “Throughout the entire period, the trust protected the A&E department and the emergency and urgent elective surgery lists to ensure patient safety.”

The Bolton NHS Foundation Trust said it has been facing ‘continuous attacks’ over the past five years, none of which had been successful.

The cyber attack hit numerous NHS organisations on May 12 this year and led to patients being diverted from A&E, routine surgery being cancelled and stopped vital equipment such as MRI and CT scanners from working.

It was initially believed only local NHS computers were affected, with The Gazette and the Lancashire Post breaking the news early in the afternoon.

But it quickly became apparent the problem was much more widespread and crippling machines across the national health service network - and indeed around the world.

The WannaCry attack ransomware attack locked users’ files and demanded a $300 (£230) payment to re-open them. More than 300,000 computers in 50 countries were affected and payments of around $80,000 made to the attackers.

The 47 trusts in England that were affected by the WannaCry cyber attack had failed to install an IT security patch that would have protected their systems and had been sent to them the previous month by NHS Digital.

Dan Taylor, head of cyber security for NHS Digital, told a cyber security conference: “Forty-seven organisations didn’t listen because they were infected but a lot of organisations did.

“There are 30,000 to 40,000 organisations in health and just 47 were infected.”

He also said he believes the incident has made senior clinicians understand the link between cyber security and delivering services to patients.

“The big comment I heard time and time again was: ‘We didn’t realise how technology underpinned what we do, we didn’t even consider the ongoing impact of this kind of thing’.”

Mr Taylor said it is important for trusts to be open and honest about the impact of cyber attacks on their organisations.

He said: “Transparency is difficult because it sometimes leads to difficult questions.

“But we have found that if you are transparent in your data security, when you make mistakes patients are much more willing to forgive you because they know you are trying your best.

“We need patients and patients’ groups to see what we are doing.”

NHS Digital says successful cyber attacks should be reported to relevant law enforcement agencies and even unsuccessful incidents should be treated with the ‘utmost seriousness’ and logged and reported.

A spokesman said: “It is important that health and care organisations meet their obligations to report serious cyber incidents to NHS Digital and all relevant authorities in line with existing guidelines.

“Such incidents are not routinely published publicly due to security risks but occur rarely. In line with the recommendations from the National Data Guardian’s review into data security, consent and opt-outs, trusts should report serious cyber incidents to NHS Digital and all relevant law enforcement agencies.

“Any incident should be treated with the utmost seriousness.”

Is your identity being sold online? See tomorrow for our disturbing figures