NHS failed to act over 66 alerts
Crooks launched cyber blitz last year but police NOT told Health chiefs are slammed over their outdated computers Now hospitals are braced for 2nd wave of ransomware raids
HACKERS demanding ransoms launched 66 cyber attacks on hospitals last year – but none was reported to police.
The astonishing failure of the NHS to take action laid its computer systems open to the devastating assault on Friday, experts said.
Details of the 2016 incidents only emerged during a Mail on Sunday investigation using freedom of information requests.
Our inquiries found that one London NHS trust – Imperial College Healthcare – was hit 19 times in the year. And eight of the 27 trusts affected were subjected to more than one attack.
The NHS was crippled on Friday by a global computer virus that encrypted data and demanded a ransom for it to be unlocked again.
The severity of the disruption, which affected 48 trusts and led to cancelled operations, was partially blamed on outdated software on tens of thousands of NHS computers, leaving them open to attack.
One expert, Brian Lord, a former GCHQ director, said fear of ‘embarrassment’ may have stopped the trusts coming forward to report the earlier attacks. He said they should have led to hospitals ‘getting their basic security measures up to date and not doing the equivalent of leaving all the doors and windows wide open’.
Last night, as experts warned that the NHS faced a race against time to protect its computers from a ‘second-wave’ attack ten times worse than the first:
Ministers faced a backlash over their handling of the affair;
A British whizzkid working from his seaside home single-handedly halted the global virus;
Other Government bodies were warned they could soon fall victim to a similar attack;
Hospitals continued to turn away patients;
A surgeon at St Barts in London told how he performed a heart operation while computer screens shut down around him;
Europol cyber detectives launched an international manhunt for the hackers, with experts saying the culprits could be gangsters from Ukraine and Russia
Hackers also targeted the Nissan car plant in Sunderland.
The NHS had previously spent £12billion on a failed nationwide programme to computerise records. Launched by Tony Blair in 2002, the project was scrapped in 2011.
Yet in 2015, Ministers refused to extend a £5.5 million Microsoft contract to provide ongoing security for tens of thousands of NHS computers. If they had done so, it would have limited Friday’s attack.
Last night, Ministers were criticised over their handling of the affair, with Home Secretary Amber Rudd facing accusations of ‘breathtaking complacency’.
As operations were cancelled, patients turned away from hospitals and doctors left unable to access test results, and patient records, Miss Rudd said: ‘So far, all we have seen is patients inconvenienced.’
Shadow Health Secretary Jonathan Ashworth said: ‘What she should be doing now is reassuring patients she is now making all possible efforts to go after the cybercriminals – not making glib remarks that belittle the chaos now affecting the NHS.’
Health Secretary Jeremy Hunt also faced a backlash for failing to speak publicly about the fiasco. Normally active on social media, he last tweeted five days ago, posting a picture of himself holding a cake.
Shadow Cabinet Office Minister Jon Trickett said: ‘At a time of such an extraordinary crisis, it beggars belief that Mr Hunt is yet to make any public statement on the cyber attack. He should be at the heart of the Government’s response.’
In NHS Scotland, 13 boards were affected by the cyber attack, with IT experts working over the weekend to get most systems back in action by tomorrow. As well as
Minister’s ‘breathtaking complacency’ under fire
NHS Borders, others hit by the ‘ransomware’ included NHS Dumfries and Galloway, Fife, Forth Valley, Lanarkshire, Greater Glasgow and Clyde, Tayside, Western Isles, Highlands, Grampian, Ayrshire and Arran, NHS National Services and the Scottish Ambulance Service.
Worst affected was NHS Lanarkshire, with some hospital outpatient services disrupted yesterday, while in the other areas the number of PCs or systems affected, mainly at GP surgeries, were in the single figures. Last night, Health Secre-
Obsolete NHS software left systems vulnerable
tary Shona Robison said: ‘The National Cyber Security Centre is leading the response to these attacks and we continue to receive updates on the situation and their efforts to rectify the issues faced.’
Down south, all but six of the affected NHS trusts are now back to normal, according to Miss Rudd, who sought to play down its effects. Speaking after an emergency Cobra meeting in Downing Street, she said: ‘there’s always more’ that could be done to protect against computer viruses.
Many of the NHS computers still run Windows XP, an out-of-date operating system that is vulnerable to attack as maker Microsoft stopped issuing security ‘patches’ in 2014. Other computers within the health service use a newer operating system – but it is believed they were still open to attack as they were not using the latest updates.
In March, Microsoft issued a patch to close the weakness exploited by hackers on Friday, but users who did not install the update were left vulnerable.
Ross Anderson, professor of security engineering at Cambridge University said: ‘If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, whose fault is that?’
The worldwide attack was so severe that Microsoft announced that it would make security fixes available for free for older
Windows systems, including XP. As experts assessed the fallout from the attack, Government bodies and other organisations were warned to secure their networks immediately to prevent them being infiltrated.
Security expert Paul Norris said large networks were particularly at risk as the virus continues to spread. ‘It’s highly possible that more organisations and Government bodies will have been affected,’ he said.
Friday’s attack directly infected around 125,000 computers, but it is thought that up to two million machines worldwide were potentially exposed. Only 24 hours before Friday’s attack, a doctor warned that NHS hospitals needed to be prepared for such an incident. In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a registrar at London’s National Hospital for Neurology and Neurosurgery said hospitals ‘will almost certainly be shut down by ransomware this year’. None of the NHS trusts targeted last year paid ransoms. Those who responded to questions from The Mail on Sunday said the ransomware attacks had originated from ‘phising’ emails, USB sticks, and in at least one case ‘downloading links from compromised websites’.
Experts said trusts’ reluctance to alert the authorities may stem from embarrassment at falling victim to the attacks. Former GCHQ boss Mr Lord, now managing director of security firm PGI Cyber, said: ‘In very few other crimes does the victim have to carry so much responsibility for the crime.
‘People still don’t see cyber attacks as a crime, in the way they would if someone had broken into the hospital and stolen a machine. If basic cyber security measures had been in place, they wouldn’t have stopped it, but they would have greatly hindered its spread.’
The attack, which is thought to have started in the UK then spread globally, hit organisations in at least 99 countries. It is understood the NHS was the largest institution to be targeted. Europol described the attack as ‘unprecedented’ and said its cyber crime team was working with affected countries to ‘mitigate the threat and assist victims’.
Five NHS trusts are still said to be ‘needing help’ with restoring their IT systems, including St Bartholomew’s in London.
The malware spread quickly on Friday, leaving hospitals and GPs unable to access patient data, with many doctors resorting to using pen and paper. Hackers demanded a payment to access blocked files.
There are fears that the effects of the continuing threat are going to be felt for months, if not for years.
Lynne Owens, head of the National Crime Agency, said: ‘At this moment we don’t know whether it’s a very sophisticated criminal network or whether it’s a number of individuals operating together.’
Robert Pritchard, a cybersecurity expert at defence think tank Royal United Services Institute, said: ‘Ransomware attacks happen every day, but what makes this different is the size and boldness of the attack.’
BRITAIN’S National Health Service has plainly been carefully targeted by internet highwaymen looking for easy victims. They did not choose the NHS because it was impoverished. On the contrary, they seem to have assumed it was quite likely to submit to their extortionate demands.
The NHS is seldom short of money when it wants to waste it on electronic mistakes. In 2011, it scrapped New Labour’s £12.7billion scheme, the biggest civilian IT project in the world at the time. It took nine years of colossal, extravagant waste for it to be certain that it would never work properly.
Nor is this the NHS’s first problem with internet security. In March, the confidentiality of the medical records of 26 million patients was urgently called into question.
Last summer, several NHS trusts were compelled by Freedom of Information requests to admit that they had been hit by ‘ransomware’ attacks similar to Friday’s assault. They either denied paying or would not say if they had met the extortioners’ demands. Yet little seems to have been done to prepare for further problems of this kind.
While there was money to squander on failed IT systems and – very possibly – to pay crooks, nobody seems to have found the comparatively small amounts of cash needed to modernise the worn-out and hopelessly insecure Windows XP systems still used by nine out of ten trusts.
In short, this is a matter of incompetence, lack of vigilance and skewed priorities, not of money. Once this urgent crisis has been resolved, we need to ensure that future problems of this kind are foreseen, planned for and mostly prevented.
That will need competent management which knows how to spend scarce resources.
It would do the NHS no end of good if those in charge of it, and politicians who have made a sort of religion out of it, concentrated far more on good management than on cash. No amount of money will overcome the sort of slackness and folly revealed this weekend.
The undoubted skills, compassion and abilities of the NHS’s doctors and nurses require a similar level of dedication and ability among its bosses if it is to survive in this feverish and perilous era.