Hospital faced mass cyber attacks

Shocking Freedom of Information Act figures obtained by the Wigan Post - as part of the Johnston Press Investigations Team’s new cybercrime exposé - show that Wrightington, Wigan and Leigh NHS Foundation Trust was targeted by no fewer than 25,160 attempted hacks and viruses in 2015/16.

This then rocketed to 60,570 in the following 12 months and a further 465 have so far been reported since this financial year began on April 1.

The trust was among many hospital organisations across the world also hit by the giant ransomware onslaught in May.

Computers at Wigan borough’s hospitals were wiped out for 12 hours during cyber attack which caused disruption across multiple NHS organisations.

At neighbouring Royal Preston, Chorley and South Ribble hospitals around 3,000 computers were infected, it has been revealed.

The attack in Wigan took several days to rectify but in a way this wasn’t new territory.

For Wrightington, Wigan and Leigh NHS Foundation Trust revealed this week that it was targeted with 25,160 attempted attacks in 2015/16, followed by 60,570 in 2016/17 and a further 465 so far this year.

It confirmed the attacks were a mixture of standard malware and ransomware attempts.

But with no data lost, not a single one of the attacks was reported to police.

Lancashire Teaching Hospitals NHS Foundation Trust has also disclosed that 441 procedures and appointments were affected by the major cyber attack but “were quickly rearranged.”

Paul Havey, deputy chief executive at Lancashire Teaching Hospitals, said: “We have taken steps to try to safeguard against any possible future risk and have further strengthened the cyber security suite that we have in place.

“We continue to work with NHS Digital to ensure that we follow any national guidance as and when it becomes available.

“Our staff worked around the clock to restore our systems as quickly as possible to ensure our services continued to run effectively and safely for our patients.”

The Johnston Press Investigations Unit submitted Freedom of Information requests to NHS hospital trusts throughout the country before the NHS WannaCry occurred asking them about cyber attacks to their organisation.

At the time of going to press WWL had not given a comment in relation to the revelation that it has weathered more than 86,000 cyber attacks in the last two and a quarter years.

Lancashire Teaching Hospitals refused the request as they felt it was exempt as it could, or be likely to, prejudice the prevention or detection of crime.

They also felt the information could be exploited for the purposes of ransomware, other malware, or to withhold and disrupt IT functionality within the trust and assist criminal offenders, seriously threatening the effective delivery of healthcare by the trust.

However, they have since revealed the information surrounding the aftermath of the WannaCry attack.

Blackpool Teaching Hospitals also refused the request for information about attempted and successful cyber attacks citing safeguarding national security and prevention and detection of crime.

A spokesman said: “If disclosed, this information could be used to identify ways of breaching our trust’s IT security which would thereby put us at increased risk of cyber attack.

“This would potentially put invaluable patient and staff data at risk which the trust has a legal duty to protect under the Data Protection Act and other confidential data which is essential to the running of trust services.”

However, a spokesman from Blackpool Teaching Hospitals said: “Staff at Blackpool Teaching Hospitals worked tirelessly to provide safe and effective care following the ransomware attack which began on Friday May 12.

“IT staff worked round the clock that weekend within the acute hospital, community settings and GP surgeries to restore systems to allow the service to continue to operate.

“On Saturday May 13, it was necessary to cancel a very small number of procedures and these patients were rescheduled. Emergency services were not compromised at any time.

“Not all systems were affected by the malware and we focussed on restoring those that were as quickly as possible.

“At no time was there any risk to patient safety as Blackpool Teaching Hospitals has a robust business continuity system.”

Six ransomware attacks took place on the University Hospitals of Morecambe Bay NHS Foundation Trust in the past three years, in which “data shared on individuals’ networks or shared drives was encrypted, which we restored from back up.” These incidents were reported by the trust to NHS Digital.

The Southport and Ormskirk Hospital NHS Trust confirmed it cancelled 42 operations and 3,047 appointments with the re-arranged appointments due to run until the end of this month.

A spokesman for the trust said: “Throughout the entire period, the trust protected the A&E department and the emergecny and urgent elective surgery lists to ensure patient safety.”

The Bolton NHS Foundation Trust said it has been facing “continuous attacks” over the past five years, none of which had been successful.

The cyber attack hit numerous NHS organisations on May 12 this year and led to patients being diverted from A&E, routine surgery being cancelled and stopped vital equipment such as MRI and CT scanners from working.

It was initially believed only local NHS computers were affected, but it quickly became apparent the problem was much more widespread and crippling machines across the national health service network - and indeed around the world.

The WannaCry ransomware attack locked users’ files and demanded a $300 (£230) payment to re-open them.

More than 300,000 computers in 50 countries were affected and payments of around $80,000 made to the attackers.

The 47 trusts in England that were affected by the WannaCry cyber attack had failed to install an IT security patch that would have protected their systems and had been sent to them the previous month by NHS Digital.

Dan Taylor, head of cyber security for NHS Digital, told a cyber security conference: “Forty-seven organisations didn’t listen because they were infected but a lot of organisations did.

“There are 30,000 to 40,000 organisations in health and just 47 were infected.”

He also said he believes the incident has made senior clinicians understand the link between cyber security and delivering services to patients.

“The big comment I heard time and time again was: ‘We didn’t realise how technology underpinned what we do, we didn’t even consider the ongoing impact of this kind of thing’.”

Mr Taylor said it is important for trusts to be open and honest about the impact of cyber attacks on their organisations.

He said: “Transparency is difficult because it sometimes leads to difficult questions.

“But we have found that if you are transparent in your data security, when you make mistakes patients are much more willing to forgive you because they know you are trying your best.

“We need patients and patients’ groups to see what we are doing.”

NHS Digital says successful cyber attacks should be reported to relevant law enforcement agencies and even unsuccessful incidents should be treated with the “utmost seriousness” and logged and reported.

A spokesman said: “It is important that health and care organisations meet their obligations to report serious cyber incidents to NHS Digital and all relevant authorities in line with existing guidelines.

“Such incidents are not routinely published publicly due to security risks but occur rarely. In line with the recommendations from the National Data Guardian’s review into data security, consent and opt-outs, trusts should report serious cyber incidents to NHS Digital and all relevant law enforcement agencies.

“Any incident – whether successful or not – should be treated with the utmost seriousness.”