A massive ransomware attack has pulverised NHS hospitals across England, forcing them to divert emergency services and shut down their IT systems.
Hospitals are at present unable to take calls as all computers and IT systems have been shut down as a protective measure against ransomware.
NHS Digital have released a statement to say that the ransomware attack was not specifically targeted at the NHS and was also affecting other organisations.
They said they had identified the malware variant to be one called Wanna Decryptor and said that at 1530hrs, 16 NHS organisations had reported being affected by the attack.
The NHS Digital statement said: "NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.
"Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available."
To protect them from being taken over by hackers, many NHS computers have been shut down as a protective measure. NHS is currently keen to point out that patient data has not been accessed and that they are working with national security agencies to identify and remedy the situation.
The infection has also affected the telephone systems. The malware pop-up flashes red on computer screens saying they want $300 in three days to return patient data to the NHS.
NHS, cybersecurity and GDPR: A look at the state of affairs in the health sector
Alarm bells have been raised constantly by security experts about the poor state of cyber-security in NHS hospitals and trusts. In 2015, nearly half of all NHS trusts in England were hit by ransomware, according to data obtained by NCC Group via a freedom of information request which also revealed that out of 60 trusts that responded, 28 had suffered from ransomware attacks. “There is no silver bullet or one single solution that can stop this type of attack, despite what many security companies may claim," said Ollie Whitehouse, technical director at NCC Group.
“Instead, we would recommend a multi-layered approach, applying robust controls such as regular patching of software, using up-to-date anti-virus and educating staff as to the risks posed by phishing and ransomware,” she added.
NHS hospitals are now asking people to ring 111 or 999 for emergency services as all systems are offline and new services have been suspended. “To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need," said the East and North Hertfordshire NHS trust.
The NHS trusts affected are:
- Watford General
- Lancashire - Blackpool
- Broomfield Hospital, Essex
- Lister - Stevenage
- East & North Hertfordshire
- Northwick Park (NW London)
- St Bartholomew and Royal London
- Colchester General Hospital
- Norfolk and Norwich
- James Paget (Norfolk)
- Queens Hospital, Burton
- UHNM - Royal Stoke
The problem that the NHS face is that each trust is to its own- with separate budgets and priorities. 'It is like herding cats. Each of the hospitals can configure what the heck they like and thats what they have done!' according to Michael Boyd, MD Mountfield Consulting Ltd.
Half of NHS trusts in England hit by ransomware in the last year
NHS staff have told the Guardian: “A bitcoin virus pop-up message had been introduced on to the network asking users to pay $300 to be able to access their PCs. You cannot get past this screen. This followed with an internal major incident being declared and advised all trust staff to shut down all PCs in the trust and await further instructions.
“This is affecting the east of England and number of other trusts. This is the largest outage of this nature I’ve seen in the six years I’ve been employed with the NHS.”
Staff also sent through screenshots of their computer screens, though there is no verifying if these are accurate.
Managing a cyber security breach
Alluding to the gravity of the situation, several of the Trusts took to Twitter to communicate directly with their communities. Blackpool Hospitals tweeted to say: "We apologise but we are having issues with our computer systems. Please don't attend A&E unless it's an emergency. Thanks for your patience."
"The large-scale cyber-attack on our NHS today is a huge wake-up call. The effects of this data breach include hospitals having to divert emergency patients, with doctors reporting messages from hackers demanding money, a clear signal of ransomware activity. It also highlights the ever-increasing importance of having a 360-degree visibility of activities and behaviour around business-critical data - particularly for large organisations like hospitals," says Dr Jamie Graves, CEO at ZoneFox.
"Because the NHS holds some of the most sensitive data of all - individuals' health records - it's a goldmine for criminals. While we are still waiting to find out the scale of this attack, it could possibly have severe impacts on critical medical procedures - not just a case of reputational damage and financial loss. Fundamentally, the government needs to pool cyber security specialists together to tackle this growing threat to ensure this does not happen again," he added.
NHS: ‘Widespread’ use of unsupported Windows XP ‘putting data at risk’
"This cyberattack on a rapidly growing list of NHS Trusts is shining a big, bright spotlight on the holes in their defences. If ransomware can temporarily halt productivity and medical care due to overexposed permissions, you can only imagine what a malicious insider or external actor with co-opted credentials can do to your organisation and how long they can go undetected," said Matt Lock, Director of Sales Engineer at Varonis.
"Organisations should ensure that they actively monitor their IT infrastructure, specifically users and the files and emails they can access, and then perform regular attestations of access rights to reduce overexposed sensitive from being hijacked in the first place as well as perform user behaviour analytics against threat models that look for signs of ransomware activity.”