High profile NHS 'cyber attack' may have 'come from USB stick'

Martyn Smith, director of IT and innovation at Hull and East Yorkshire Hospitals Trust, told a board meeting last week it appeared the source of the virus that affected Northern Lincolnshire and Goole Foundation Trust at the end of October was a USB stick, or an NHS employee working remotely. If this was the case, it is likely that following good practice on use of technology may have avoided the security breach.

The Hull trust has subsequently told HSJ Mr Smith’s comments were “speculative”.

Northern Lincolnshire said it could not comment on Mr Smith’s claims because “the police investigation is still continuing”.

The trust was forced to cancel thousands of operations after what it called a “cyber attack” affected its IT network, prompting it to close down the majority of its systems.

The cyber security team at NHS Digital warned all NHS providers last month of a “potential threat to your organisation” as a result.

Mr Smith said he did not have confidence that Hull and East Yorkshire’s antivirus protection would block a similar “zero day virus”.

A zero day virus, also known as zero day malware or next generation malware, is previously unknown so no specific antivirus software signatures are available to prevent it.

“There will always be a time lag between the launch of a zero day virus and the release (worldwide) of the antivirus system supplier,” Mr Smith said. This “poses the same problems throughout the industry”, he added.

He said the “biggest potential exposure is a ransomware attack”, which could be launched by staff opening attachments linked to bogus but seemingly innocent emails.

He said: “This can have a catastrophic impact. Technical controls cannot prevent this.”

Mr Smith also said he believed his trust had strict controls on the use of USB sticks.

A North Lincolnshire spokeswoman said it “has a policy on removable media and a policy on information technology security”. She said its protections included only allowing “the ’read only’ action [on documents] from all USB sticks, which is achieved by using blocking software to prevent the writing and storing of data”.

She said: “Only sanctioned, corporate encrypted USB sticks provided by the IT department are allowed to be written to. All trust laptops and tablets are encrypted.”

Mr Smith told the Hull board that the trust had signed up to NHS Digital’s new NHS CareCERT Assure service, which provides an onsite independent assessment of resilience.

He also proposed that the trust should commit to achieving CERT-UK cyber security standards, and suggested the trust takes the following steps:

• A staff education, training and awareness programme for cyber risks.
• An enhanced policy framework based on CERT-UK cyber security standards.
• An incident management and disaster recovery capability.
• Introducing a proactive, real time, monitoring of network activity.
• A risk assessment and business continuity plan review for all key trust systems, including offsite hosted/managed systems.
• Re-evaluation of the security threat from social media and third party email systems.
• Considering prohibiting the use of non-encrypted USB sticks.
• Considering removal of generic logon accounts.
• Considering implementing more robust passwords protocols.