NHS cyber attack: Large-scale hack plunges hospitals across England into chaos

Message appearing on computers tells doctors that they need to pay if they want to save their files

Andrew Griffin
Friday 12 May 2017 15:22 BST
NHS hit by major cyber attack

Dozens of hospital trusts across the country have been hit by a huge cyber attack, plunging the NHS into chaos.

IT systems appear to have broken and emergency patients are being diverted to other areas, with hospitals across England and Scotland affected.

The NHS was just one of the victims of the huge attack, which spread across the world infecting computers in 74 countries in Europe and Asia.

On Friday night, US firm Fedex announced its operations in the US were also affected. Russia's interior and emergencies ministries, as well as the country's biggest bank, Sberbank, also said they were targeted.

The hack appears to be an example of ransomware – malicious hackers breaking into computers and only allowing their owners back in when they pay enough money.

A message showing on computers tells users that they can recover files but only if they send $300 of bitcoin to a specific address.

The price will rise with time and the files will eventually be deleted, the warning reads.

Affected NHS trusts said that IT systems had been shut down in order to protect them. That meant that all systems were offline and hospitals were unable to accept incoming calls.

Scheduled appointments had to be cancelled, ambulances were diverted and some departments shut down entirely. What staff were working had to do so with pen and paper and without access to any digital files.

Leaders including Theresa May and Nicola Sturgeon held crisis meetings on the issue to attempt to stem the effects.

The attack appeared to be a new strain of a relatively well-known piece of ransomware known as Wanna Decryptor. That was updated on the day of the attack and spread around the world soon after, according to security experts.

A conversation circulating online saw one doctor saying "our hospital is down".

"We got a message saying your computers are now under their control and pay a certain amount of money," the messages read. "And now everything is gone.”

The NHS has been hit by such attacks before. But this was by far the worst, experts said, taking down an unprecedented number of trusts and hospitals.

It came soon after a report was published in the British Medical Journal in which neurologist Dr Krishna Chinthapalli warned hospitals that they were at risk of an attack.

"We should be prepared: more hospitals will almost certainly be shut down by ransomware this year," he wrote.

He warned just hours before the hack broke out that IT departments needed to do more to keep hospitals safe, and that such hacks – which have already hit some hospitals in the US – were a problem waiting to happen.

However, the new attack was the worst ever seen, he said.

"I've never heard about a ransomware attack being so widespread - affecting so many hospitals across such a wide area," he said.

"There have been many isolated attacks but this is the first to be so coordinated - a number of attacks in different parts of the country.

"We have not seen this either here or in other countries - such as America."

NHS trusts also were asking people not to come to A&E, but instead to ring 111, or 999 in the case of an emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need," a spokesperson for East and North Hertfordshire NHS trust said.

Other trusts stressed that some of the problems were being caused by protective measures, rather than the cyber attack itself.

"Following a suspected national cyber attack we are taking all precautionary measures possible to protect our local NHS systems and services," NHS Merseyside said on Twitter.

NHS Blackpool Clinical Commissioning Group tweeted: "We are aware of an IT issue affecting some GP computer systems.

"Patients are asked for understanding whilst the issue is resolved.

A woman points to the website of the NHS: East and North Hertfordshire notifying users of a problem in its network

"Please avoid contacting your GP practice unless absolutely necessary. Should you wish to obtain non-urgent medical advice, please call 111.

"Please also only attend the Walk-In Centre and A&E department if absolutely necessary."

A spokesman for NHS England said there was "an issue with IT", but referred further inquiries to NHS Digital, which did not immediately comment.

Prime Minister Theresa May said the hit on the NHS was part of a wider attack and said there was no evidence that patient data had been compromised.

"This is not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected," she said.

"The National Cyber Security Centre is working closely with NHS digital to ensure that they support the organisations concerned and that they protect patient safety.

"And, we are not aware of any evidence that patient data has been compromised.

"Of course it is important that we have set up the National Cyber Security Centre and they are able to work with the NHS organisations concerned and to ensure that they are supported and patient safety is protected."

But shadow health secretary John Ashworth said the attack was a "real worry for patients".

"Our hard-working NHS staff are already operating under unprecedented pressure and should be given every support to help the public in the face of these malicious and disturbing actions," he said.

"This incident highlights the risk to data security within the modern health service and reinforces the need for cyber security to be at the heart of government planning. The digital revolution has transformed the way we live and work but we have to be ready for the vulnerabilities it brings too.

"The Government needto be clear about what's happened and what measures they are taking to reduce the threat to patients."

The Patients' Association condemned the criminals behind the cyber attack on the NHS but said lessons from earlier incidents had not been learned.

In a statement the group said: "We should be clear that responsibility for today's apparently extensive attack on NHS IT systems, and for any harm that occurs to patients as a result, lies with the criminals who have perpetrated it.

"From reports so far, the attack appears to have been highly coordinated and aggressive and a police investigation will no doubt be required.

"However, that something of this sort could happen will surprise few people.

The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim

"It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems.

"Though today's may be the largest attack of this sort, it is not the first - yet the lessons from earlier incidents have not been learnt.

It comes months after Barts Health Trust, the largest NHS trust in England, was hit by a ransomware cyber attack.

The problems were widespread across the world, with the Wanna Decryptor malware spreading itself across the internet.

"This cyber attack is much larger than just the NHS," said Travis Farral, director of security strategy for cyber security firm Anomali Labs. "It appears to be a giant campaign that has hit Spain and Russia the hardest."

Some people are already paying to get their files back, Mr Farral said.

Wanna Decryptor, the malware that is being used, has been known to cyber security experts for weeks. But the version spreading across the internet has just been updated, according to reports.

"The ransomware used in this attack is relatively new - it was first seen in February 2017, and the latest variant emerged earlier today," said Aatish Pattni from cyber security firm Check Point.

"Even so, it's spreading fast, with organisations across Europe and Asia being hit.

"It shows just how damaging ransomware can be - and how quickly it can cause disruption to vital services.

"Organisations need to be able to prevent infections taking hold in the first place, by scanning for, blocking and filtering out suspicious files content before it reaches their networks.

"It's also essential that staff are educated about the potential risks of incoming emails from unknown parties, or suspicious-looking emails that appear to come from known contacts."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in