NHS cyber attack: the lessons to be learned

Nurses across England and Scotland had to cope with major disruption last month when dozens of NHS organisations fell victim to a cyber attack.

Nurses across England and Scotland had to cope with major disruption last month when dozens of NHS organisations fell victim to a cyber attack

It's not a case of if an attack happens again, but when it happens....
 Picture: iStock

Nurses across England and Scotland faced major disruption last month when dozens of NHS organisations fell victim to a cyber attack.

The health service was thrown into chaos as computers were locked by a ransomware program that demanded payment to access files that had been locked. Staff were unable to access notes, patients faced uncertainty about operations, and some hospitals had to divert emergency ambulances elsewhere.

A community nurse from Essex told the Guardian newspaper her call centre for community services went into lockdown and staff had been unable to receive any information about authorisations for medicine changes or referrals, or to look up patients’ addresses, complete documentation or check test results.

12 May

start of the cyber attack

Another community nurse from Grimsby tweeted: 'No cyber attack will lower our standard of care. We just keep going!'

In all, 48 NHS trusts in England and 13 NHS bodies across Scotland were hit by the cyber attack, which started on 12 May. By 15 May, NHS England said only a handful of organisations were still affected and that the health service was 'open for business'.

So how was the attack handled, and what lessons can be learned?

Remedial steps

Rob Shaw, interim chief executive of NHS Digital, the health service's internal IT provider, told a board meeting last week that it was working with the National Cyber Security Centre to establish the cause of the attack, which affected organisations in 99 countries worldwide.

'On the day of the attack, as soon as we received clear, corroborated intelligence on this issue, which related to malware (software designed to disrupt or damage a computer system), we took a number of steps.

‘Rightly, this began with issuing a targeted bulletin that gave specific advice and remedial steps to NHS organisations.’

He said a round-the-clock specialist helpline was set up within an hour of confirming the basic details of the incident, and a command control centre was established. Data security experts were also deployed to assist organisations on the ground for as long as they were needed.

‘Crucially, we worked with other bodies such as NHS England, the Department of Health and the National Cyber Security Centre to establish a multi-agency approach.  We also provided support to the Cabinet Office and to Cobra, as well as to the secretary of state for health throughout the incident.’ 

Minimising risk

He said the organisation’s data security centre team would remain vigilant in alerting NHS organisations to known cyber security threats and advising them of appropriate steps to minimise risks, in addition to protective monitoring of NHS national IT services and systems.

Among those affected was London's Barts Health NHS Trust, the largest in the UK. Some ambulances were diverted to neighbouring hospitals and operations had to be cancelled.

Although there were no outpatient appointments at the trust’s hospitals the day after the attack, which was a Saturday, the trust had contingency plans to ensure patient safety allowing it to keep all its hospitals open.


NHS trusts in England were affected

It was nearly two weeks after the incident before staff could access emails.

The trust is to hold an investigation ‘in due course’. A spokesperson said: ‘We always work closely with our anti-virus supplier to ensure testing and protection is up to date, and anti-virus software is updated daily.

'We are also investing in upgrading our IT infrastructure where it is most needed, with over £2 million spent on new computers at Whipps Cross Hospital and a £1.5 million upgrade at Newham Hospital under way. We are committed to supporting staff to work digitally to improve efficiency and patient safety.’

The NHS’s north of England commissioning support unit reported that a number of organisations in the North East and north Cumbria were affected by the virus and had to shut down their IT systems.

Trusts in the region that were not directly affected by the virus also closed their external servers as a precautionary step to ensure the virus didn't spread. Staff working remotely were reminded not to switch on NHS laptops or computers until notified by their line manager that they could do so.

North Tees and Hartlepool NHS Foundation Trust was one of the trusts that took preventive measures to protect its computer system, putting it in lockdown to minimise any possible infection.

Staff awareness

Trust chief information and technology officer Graham Evans says an imminent cyber event was something the trust had considered over the past year, and it had raised awareness among staff.

Dr Evans says: ‘While the trust was not infected, we were affected as a consequence of our proactive steps. Lessons have been learned and systems and controls strengthened.

‘Our expectation is that it will not be a case of if this happens again, but when it happens again, so continued vigilance and awareness by all staff relating to these emerging threats will be key to the future.’


NHS organisations across Scotland were also hit

NHS Digital has already warned of the possibility that a ransomware cyber attack could happen again.

Birmingham City University school of computing and digital technology associate professor Ron Austin believes the cost of fixing and rebuilding all the systems affected by the cyber attack will run into hundreds of millions of pounds.

‘We all know that we need to lock the doors and close the windows before we leave the house. We seem to forget these basic requirements when we are online.’

Wake-up call

He explains that computer systems need to be up to date and that cyber and network security needs to be an ongoing issue at board level. 

‘Until the NHS and every other company and business start to take data/information security seriously these attacks will continue to succeed and will become more effective.’ 

Professor Austin says best practice when using the internet includes being vigilant when accessing links sent via email or within a website.  

‘The spread of the attack and the impact is a wake-up call for all network administrators and managers.

 'It may seem like the horse has bolted, but the time to review and reflect on security policies is now.’

Cyber attack on the Queen's Nursing Institute

One nursing organisation that knows all too keenly the impact of cyber attacks is the Queen's Nursing Institute (QNI) in London, which was hit just after the Easter break.

‘The QNI’s server was compromised by a ransomware virus that suddenly and completely paralysed our shared drive and email,' QNI chief executive Crystal Oldman explains.

‘We do not know how the virus breached our firewall and anti-virus software, which were fully up to date. However, our external IT contractors said this was the worst virus they had ever seen.

‘It was a slow process to rebuild our systems and we have had to make some significant adjustments, which are still ongoing.'

No personal or other data was lost and no attempt was actually made to steal information or extort money from the organisation.

But Dr Oldman adds: ‘If you take into account the amount of staff time that can be lost in an event like this, it underlines exactly how important it is that your IT systems and security software are as up to date as possible.

‘IT is a great enabler, but this is a reminder of how vulnerable any organisation can be.'

Petra Kendall-Raynor is a freelance health journalist




This article is for subscribers only