Hacked trust faces criticism over handling of worst cyber attack on NHS

Northern Lincolnshire and Goole Foundation Trust was forced to cancel thousands of operations after a virus infected its IT system on Sunday, prompting it to close down the vast majority of its system.

The trust confirmed on Thursday that services had resumed after a three-day period in which routine operations, outpatient appointments and diagnostics were cancelled at its three hospitals in Grimsby, Scunthorpe and Goole.

West Yorkshire Police are now investigating the matter as a crime, a trust spokeswoman also confirmed.

But senior IT managers and cyber security professionals have raised concerns to HSJ about the trust’s decision not to call NHS Digital immediately to alert them to the threat and not to bring in the CareCERT team.

The news follows HSJ revealing yesterday there were significant concerns that the hack could have ramifications for other trusts.

Trusts hit by cyber-attacks generally alert NHS Digital and its designated CareCERT cyber security team within hours.

Independent sector and NHS sources told HSJ CareCERT had a robust track record of identifying and containing threats, helping senior staff to manage the response and assessing the wider implications for other trusts.

But HSJ has learned the trust instead opted to draft in a GCHQ accredited private cyber security firm to assist it.

The trust has not set out its reasons for not making full use of the central team, but told HSJ today CareCERT would be on site from next week. It said it had stayed in “regular communication” with NHS Digital over the period of the attack.

One private sector cyber security expert said taking all the help on offer when faced with such a crisis was critical.

The source told HSJ: “If the trust did not let CareCERT in straight away, that is really, very foolish. If I was the chair at the trust I would be open to all possible help.”

The expert added: “There is a very interesting question about what the liability is [for the trust]. People have suffered and there are questions about whether trust acted quickly enough in the right way…

“Early intervention and early warning is absolutely crucial. Any delay in action inevitably makes the problem fundamentally more difficult to deal with.”

NHS trust sources were equally surprised by the move, with one senior trust IT manager saying that a call to CareCERT would have been advisable within the first three hours.

It is understood that CareCERT found out about the breach on Sunday, but not via official channels.

The CareCERT service does not have a mandate to ‘force entry’ on a trust. Instead the team must wait until it is invited on site. HSJ understands the trust’s decision not to invite CareCERT on site has meant NHS Digital has been unable to formally identify the virus.

The nature of the virus has still not been confirmed. But HSJ understands the virus worked by firing a constant and sustained series of passwords at the trust’s system, one of which allowed it access. The virus is not being regarded as particularly sophisticated or novel.

The trust, in response to the concerns, said: “The trust has been in regular communication with NHS Digital and we have been working alongside a [government] approved provider from an early stage.

“Trust systems and processes detected a problem late evening Sunday October 30 and we declared a major incident on Monday October 31. This is a localised issue and has had an impact on just one other local trust, with whom we share a system.”

NHS Digital said earlier this week: “We have made contact with [the trust] to offer support; they remain data controllers and they have informed us that they are taking steps to resolve the situation. We will continue to offer support and guidance as requested.

“This issue highlights the fact that there are threats to data security within the health and care, as with any other sector. We remain committed to supporting the protection of data with the highest possible security standards, high levels of security expertise from.”

UPDATED at 9:40am on 4 November to reflect the trust has said West Yorkshire Police were now investigating the matter as a crime.