The must read stories and talking points in the NHS

Hospitals held to ransom by hackers

In January, HSJ predicted that “the biggest NHS technology story of the year will be linked to a significant failure in cyber security”.

“It takes time for good cybersecurity habits to feel like part of the job rather than a nuisance, especially with so many ageing ‘legacy’ systems in the mix,” we wrote. “A major leak of patient data or a cyberattack that means health services across an entire region are flying blind for many days is overdue and yet completely absent from the risk registers of most NHS organisations.”

On Friday, it appears that “overdue” attack spread across the NHS, with trusts being targeted by a major ransomware campaign. More than 20 providers have been affected (at the time of writing – see hsj.co.uk for the most up to date picture), while CCGs and GP practices in some areas have also stopped using their computers. Images from some affected machines show the hackers asking for payments in bitcoin before organisations can regain access to files.

The attack is having a significant impact on patients: some hospitals diverted emergency ambulances, asked patients to go elsewhere, and cancelled elective care. Services affected are thought to include picture archiving communication systems for X-ray images, pathology test results, phone and bleep systems, and patient admin systems.

NHS Digital said it was investigating, and urgent efforts with the National Cyber Security Centre to understand and respond to the situation are ongoing. It believes the malware being used is Wanna Decryptor.

The NCSC has guidance on how to protect your organisation from ransomware.

There have been ransomware attacks on trusts before – such as Northern Lincolnshire and Goole last year and Barts Health in January – but nothing on the scale of Friday’s virus, which appeared to target organisations from other sectors around the world.

The NHS has been warned about the hacking threat. In 2016, when he was NHS Digital chair, Kingsley Manning said cyberattacks were “a fundamental threat to the operations of hospitals” and chastised the health service for not taking digital security seriously enough. He said it was a “common problem” that the issue “does not make it into the board room”, partly because not enough chief information officers are on trusts’ boards.

In recent years funding earmarked for digital infrastructure has been raided for other parts of the NHS with varying degrees of severity – some of the serious consequences of that underinvestment have now been seen across the service. The urgency of the challenge to make the NHS’s digital systems safe and fit for the 21st century could not be clearer.