NHS HAD 66 ALERTS BUT DID NOTHING
Cyber crooks launched multiple raids on hospitals last year...but not one was reported to police
HACKERS demanding ransoms launched 66 cyber attacks on English hospitals last year – but none was reported to police.
The astonishing failure of the NHS to take action laid its computer systems open to the devastating assault on Friday, experts said.
Details of the 2016 incidents only
emerged during a Mail on Sunday investigation using freedom of information requests.
Our inquiries found that one London NHS trust – Imperial College Healthcare – was hit 19 times in the year. And eight of the 27 trusts affected were subjected to more than one attack.
The NHS was crippled on Friday by a global computer virus which encrypted data and demanded a ransom for it to be unlocked again.
The severity of the disruption, which affected 48 trusts and led to cancelled operations, was partially blamed on outdated software on tens of thousands of NHS computers, leaving them open to attack.
One expert, Brian Lord, a former GCHQ director, said fear of ‘embarrassment’ may have stopped the trusts coming forward to report the earlier attacks.
He said they should have led to hospitals ‘getting their basic security measures up to date and not doing the equivalent of leaving all the doors and windows wide open’.
Last night, as experts warned that the NHS faced a race against time to protect its computers from a ‘ second- wave’ attack ten times worse than the first:
Ministers faced a backlash over their handling of the affair;
A computer whizzkid working from his home on England’s South West coast single-handedly halted the global virus;
Other Government bodies were warned they could soon fall victim to a similar attack;
Hospitals continued to turn away patients;
A surgeon at St Barts in London told how he performed a heart operation while computer screens shut down around him;
Europol cyber detectives launched an international manhunt for the hackers, with experts saying the culprits could be gangsters from Ukraine and Russia
Hackers also targeted the Nissan car plant in Sunderland.
The NHS had previously spent £12 billion on a failed nationwide programme to computerise records. Launched by Tony Blair in 2002, the project was scrapped in 2011.
Yet in 2015, Ministers refused to extend a £ 5.5 million Microsoft contract to provide ongoing security for tens of thousands of NHS computers. If they had done so, it would have limited Friday’s attack, which has triggered a political blame game.
Last night, Ministers were criticised over their handling of the affair, with Home Secretary Amber Rudd facing accusations of ‘breathtaking complacency’.
As operations were cancelled, patients turned away from hospitals and doctors left unable to access test results, and patient records, Ms Rudd said: ‘So far, all we have seen is patients inconvenienced.’
Shadow Health Secretary Jonathan Ashworth said: ‘ It is breathtakingly complacent and utterly dismissive of what NHS patients have been going through for the Home Secretary to say that they have simply been inconvenienced. What she should be doing now is reassuring patients she is now making all possible efforts to go after the cyber-criminals – not making glib remarks that belittle the chaos now affecting the NHS.’
Health Secretary Jeremy Hunt also faced a backlash for failing to speak publicly about the fiasco. Normally active on social media, he last tweeted five days ago, posting a picture of himself holding a cake.
Shadow Cabinet Office Minister Jon Trickett said: ‘At a time of such an extraordinary crisis, it beggars belief that Mr Hunt is yet to make any public statement on the cyber attack. He should be at the heart of the Government’s response.’
All but six of the affected NHS trusts are now back to normal, according to Ms Rudd, who sought to play down its effects. Speaking after an emergency Cobra meeting in Downing Street, she said: ‘there’s always more’ that could be done to protect against computer viruses.
She added that 97 per cent of NHS trusts were ‘working as normal’ and there was no evidence patient data was affected.
‘The response has, in fact, been very good,’ she said. ‘We think we have the right preparedness in place and also the right plans going forward over the next few days to ensure that we limit its impact.’
But embarrassingly, she was forced to fend off questions about Mr Hunt’s disappearance, saying lamely that there had been ‘plenty
Minister’s ‘breathtaking complacency’ under fire Obsolete NHS software left systems vulnerable
of representatives from the NHS... saying what is going on’.
Many of the NHS computers still run Windows XP, an out-of-date operating system that is vulnerable to attack as makers Microsoft stopped issuing security patches in 2014. Other computers within the health service use a newer operating systems – but it is believed they were still open to attack as they were not using the latest updates. In March, Microsoft issued an patch to cl ose t he weakness exploited by hackers on Friday, but users who did not install the update were left vulnerable.
Ross Anderson, professor of security engineering at Cambridge University said: ‘If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, whose fault is that?’ He added that the incident is the ‘sort of thing for which the Secretary of State should get roasted in Parliament’
The worldwide attack was so severe that Microsoft announced that it will make security fixes available for free for older Windows systems, including XP.
As experts assessed the fallout from the attack, Government bodies and other organisations were warned to secure their networks immediately t o pr e vent t hem being infiltrated.
Security expert Paul Norris said l arge networks are particularly at risk as the virus continues to spread. ‘ It ’s hi g h l y
possible that more organisations and Government bodies will have been affected,’ he said.
Friday’s attack directly infected around 125,000 computers, but Mr Grossman said up to two million machines worldwide were potentially exposed.
Just 24 hours before Friday’s attack a doctor warned that NHS hospitals needed to be prepared for such an incident. In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a registrar at the London’s National Hospital for Neurology and Neurosurgery said hospitals ‘will almost certainly be shut down by ransomware this year’.
None of the NHS trusts targeted last year paid ransoms. Those who responded to questions from The Mail on Sunday said the ransomware attacks had originated from ‘phising’ emails, USB sticks, and in at least one case ‘downloading links from compromised websites’.
Experts said trusts’ reluctance to alert authorities may stem from embarrassment at falling victim to the attacks. Former GCHQ boss Brian Lord, now managing director of security firm PGI Cyber, said: ‘In very few other crimes does the victim have to carry so much responsibility for the crime. People still don’t see cyber attacks as a crime, in the way they would if someone had broken into the hospital and stolen a machine.’
However, he said: ‘If basic cyber security measures had been in place, they wouldn’t have stopped it, but they would have greatly hindered its spread.’
The attack, which is thought to have started in the UK then spread globally, hit organisations in at least 99 countries. It is understood the NHS was the largest institution to be targeted. Europol described the attack as ‘unprecedented’ and said its cyber crime team was working with affected countries to ‘mitigate the threat and assist victims’.
Five NHS trusts are still said to be ‘needing help’ with restoring their IT systems, including St Bartholomew’s in London.
The malware spread quickly on Friday leaving hospitals and GPs unable to access patient data, with many doctors resorting to using pen and paper. Hackers demanded a payment to access blocked files.
There are fears that the effects of the continuing threat will be felt for months, if not years.
Lynne Owens, head of the National Crime Agency, said: ‘At this moment we don’t know whether it’s a very sophisticated criminal network or whether it’s a number of individuals operating together.’
Robert Pritchard, a cybersecurity expert at defence think tank Royal United Services Institute, said: ‘Ransomware attacks happen every day, but what makes this different is the size and boldness of the attack.’
Production at Nissan’s Sunderland plant has also affected by the attack, but bosses said there had been ‘no major impact’ on the business. ‘Like many organisations our plant was subject to a ransomware attack affecting some of our systems on Friday evening,’ a spokeswoman confirmed.
BRITAIN’S National Health Service has plainly been carefully targeted by internet highwaymen looking for easy victims. They did not choose the NHS because it was impoverished. On the contrary, they seem to have assumed it was quite likely to submit to their extortionate demands.
The NHS is seldom short of money when it wants to waste it on electronic mistakes. In 2011, it scrapped New Labour’s £12.7 billion scheme, the biggest civilian IT project in the world at the time. It took nine years of colossal, extravagant waste for it to be certain that it would never work properly.
Nor is this the NHS’s first problem with internet security. In March, the confidentiality of the medical records of 26 million patients was urgently called into question.
Last summer, several NHS trusts were compelled by Freedom of Information requests to admit that they had been hit by ‘ransomware’ attacks similar to Friday’s assault. They either denied paying, or would not say if they had met the extortioners’ demands. Yet little seems to have been done to prepare for further problems of this kind.
While there was money to squander on failed IT systems, and – very possibly – to pay crooks, nobody seems to have found the comparatively small amounts of cash needed to modernise the worn-out and hopelessly insecure Windows XP systems still used by nine out of ten trusts.
In short, this is a matter of incompetence, lack of vigilance and skewed priorities, not of money. Once this urgent crisis has been resolved, we need to ensure that future problems of this kind are foreseen, planned for and mostly prevented. That will need competent management which knows how to spend scarce resources.
It would do the NHS no end of good if those in charge of it, and politicians who have made a sort of religion out of it, concentrated far more on good management than on cash. No amount of money will overcome the sort of slackness and folly revealed this weekend.
The undoubted skills, compassion and abilities of the NHS’s doctors and nurses require a similar level of dedication and ability among its bosses if it is to survive in this feverish and perilous era.