Cyber attack: NHS needs to change’
Experts say failure to upgrade meant hospitals were vulnerable Boss scrambling to restore IT systems after wave of hacks
HOSPITAL chiefs failed to adequately invest in computer security despite a wave of attempted cyber attacks on Scottish health boards, an expert warned last night.
Injured patients were turned away and appointments cancelled after 11 of the country’s 14 health boards were hit by a massive malicious hack on Friday, which is believed to be the biggest of its kind ever seen.
Almost 100 countries were caught up in the onslaught, causing widespread chaos in hospitals, companies and government agencies across the globe.
NHS bosses are now scrambling to restore systems by tomorrow morning, but insisted no patient data had been compromised.
Figures obtained by The Sunday Post show nearly every health board in Scotland has been targeted by a ransomware attack – whereby hackers block a computer until money is paid – over the last five years.
However, our research shows relatively small sums are being spent on cyber security since 2012, ranging from NHS Lothian’s £ 445,000 to £ 125,000 by the Scottish Ambulance Service.
Leading cyber security expert Professor Bill Buchanan said: “For some reason we have underinvested in IT in the NHS.
“I feel quite sorry for them – they are faced maybe not with the best systems. But they need to change.”
Across Scotland, GPs spoke of “massive disr up t i o n” as the cyber attackers locked computers and demanded a payment worth £230 per machine to access files.
Lanarkshire NHS was the worst hit board. At Hairmyres hospital in East Kilbride, patients were turned away as they went in to A&E – while others received minimal treatment.
Signs outside the unit warned patients not to book in unless they had “a very serious illness or injury.” Dr Helen Mackie, chief of medical services at the hospital, urged patients to take their medication with them, warning doctors could have problems accessing their records.
Elsewhere, Dr Emma Fardon, a GP in Dundee, said the attack had had a “massively disruptive effect”.
She said: “We can’t access any patients’ records. Everything is fully computerised.”
In total, 45 NHS organisations in England and Scotland were disrupted – while the huge Nissan plant in Sunderland was among firms hit. Questions are now being asked over the use of old computer systems and the failure of some health boards to implement a vital security update issued by Microsoft in March.
NHS Fife admitted the fix had not yet been applied – despite Microsoft bosses labelling it “critical” – while NHS Lanarkshire was unable to say. NHS Grampian could only say it had been applied to “the majority” of servers.
Meanwhile, NHS Highland, NHS Ayrshire and Arran, NHS Glasgow and NHS Western Isles all said some of their computers still used the vulnerable 15-year-old Windows XP operating system.
They said an emergency security update had been is s u e d by Microsoft and was being deployed.
Health boards have faced numerous computer blackmail attempts in recent years, with NHS Greater Glasgow and Clyde alone hit with three ransomware attacks last year.
In the vast majority of cases, NHS staff did not hand over money to unlock their files. Instead, the computer was broken down and rebuilt by IT staff.
Professor Buchanan, from Napier University, said early signs indicated the massive hack had been able to cripple NHS computers due to the fa i l u re to implement Microsoft’s update – as well as a vulnerable gap in an NHS firewall.
He insisted any failure to apply Microsoft’s fix was “negligence” if it had been the cause.
“It looks like that was the way that the ransomware got in.
“Companies have had about four or five weeks to patch and it obviously hasn’t happened in many cases. You need to be doing that in a few days – especially with something like the NHS.”
Scottish Health Secretary Shona
Robison said: “This has been a global cyber- attack which has impacted on countries across the world and clearly any incident of this nature is hugely concerning – but it’s important to stress that there is no evidence to suggest patient data has been compromised.
“We have taken steps to ensure the cause of this attack is identified and have managed to isolate the issues within the NHS in Scotland.
“Boards are working on protecting and restoring those systems, with a view to getting most operational by Monday.”
Europol, the European Union’s police agency, said “a complex international investigation” would be required to identify the culprits.
Experts said the ransomware appeared to exploit a vulnerability in Microsoft Windows that was purportedly identified by the US National Security Agency for its own intelligence- gathering purposes and later leaked to the internet.