Belfast Telegraph

NHS cyber attack: Ransomware hackers force hospitals across England to divert emergency patients as incident spreads to Scotland

  • NHS England hit by 'Wanna Decryptor' ransomware cyber attack
  • The incident has spread to Scotland

  • At least 21 hospitals affected
  • NHS declares major incident
  • Ambulances diverted and patients warned to avoid some A&E if possible
  • Theresa May says ransomware hit is part of wider international attack

NHS hospitals and surgeries across England and Scotland have been hit by a huge ransomware cyber attack.

Ambulances have been diverted and patients warned to avoid some A&E departments in England after systems were targeted on Friday.

Hospitals and GP surgeries in England and Scotland were among health service organisations hit by a ransomware attack, using malware called Wanna Decryptor.

Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.

Saffron Cordery, director of policy and strategy of NHS Providers told the BBC that 21 hospitals have been affected but that the attack has also hit universities, pharmacies and dental practices.

An NHS Digital spokesman said: "At this stage we do not have any evidence that patient data has been accessed.

"We will continue to work with affected organisations to confirm this."

He added the attack "was not specifically targeted at the NHS and is affecting organisations from across a range of sectors".

'International attack'

Theresa May said the Government is not aware of any evidence that patient records have been compromised.

The Prime Minister said the ransomware hit was "not targeted" at the health service but was part of a wider assault on organisations across a number of countries.

The National Cyber Security Centre (NCSC) is working to support the NHS.

Mrs May said: "We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack.

"This is not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected.

"The National Cyber Security Centre is working closely with NHS digital to ensure that they support the organisations concerned and that they protect patient safety.

"And, we are not aware of any evidence that patient data has been compromised.

"Of course it is important that we have set up the National Cyber Security Centre and they are able to work with the NHS organisations concerned and to ensure that they are supported and patient safety is protected."


Several health boards in Scotland have confirmed they are affected by the cyber attack that has hit NHS England.

NHS Greater Glasgow and Clyde, NHS Dumfries and Galloway and NHS Forth Valley said some of their GP surgeries have been caught up in the incident.

NHS Lanarkshire and NHS Western Isles also confirmed they have been affected.

The situation across Scotland is currently being monitored closely.

The first health board to confirm it had been affected was Dumfries and Galloway, which said three GP surgeries in the region were hit.

A spokesman said: "Three GP practices have been initially affected and we are taking precautionary measures to prevent any others being affected."

He declined to name the practices involved and said the board is "comfortable and confident" with the steps taken, but added: "We don't know what we're dealing with.

"We are monitoring the situation here, as are all health boards in Scotland."

NHS Greater Glasgow and Clyde (NHSGGC) said in a statement: "We can confirm that four GP practices have experienced disruption to their IT systems today.

"The rest of NHSGGC is unaffected."

NHS Forth Valley said some GP and dental surgeries had been hit by the problem.

"We can confirm that a small number of GP and dental practices in the Forth Valley area have experienced disruption to their IT systems which may be linked to the wider IT issues affecting parts of NHS England.

"Steps have been taken to isolate their IT systems to minimise the risk of any virus spreading to other parts of the NHS. The practices affected remain open and have put in place contingency arrangements."

An NHS Western Isles spokeswoman said: "We can confirm that we have been affected but can't confirm to what extent at the moment.

"We do have systems in place to cover all emergencies."

NHS Grampian and NHS Ayrshire and Arran said they are monitoring the situation.

John Wright, director for corporate support services at Ayrshire, said: "NHS Ayrshire & Arran is aware of the reported cyber attacks which appear to have affected NHS services in England and a number of national services across Scotland.

"Our IT security team are closely monitoring our networks to identify any suspicious activity.

"We will continue to do so over the coming days in order to minimise any possible impact on services.

"We are also in contact with the National Services Centre who are co-ordinating the situation on behalf of NHS Scotland.

First Minister Nicola Sturgeon is to chair a resilience meeting on the issue.

Scottish Health Secretary Shona Robison said: "We are aware of a number of health boards affected by potential cyber incidents and the First Minister will chair a resilience meeting shortly.

"Scottish Government health officials are currently working closely with affected boards to assess the extent of the problem, and take steps to isolate affected systems, which have been affected by a Ransomware cyber attack of the kind which has also affected health trusts in NHS England.

"We are taking immediate steps to minimise the impact of the attack across NHS Scotland and restrict any disruption.

"Our priority is to ensure that boards are supported to deal with this incident swiftly, and that services to patients can continue to run effectively."


Pictures posted on social media showed screens of NHS computers with images demanding payment of 300 US dollars worth of the online currency Bitcoin, saying: "Ooops, your files have been encrypted!"

It adds: "Maybe you are looking for a way to recover your files, but do not waste your time."

It demands payment in three days or the price is doubled, and if none is received in seven days the files will be deleted.

The IT-help website describes 'Wanna Decryptor' as "one of the worst viruses".

"Ransomware causes great damage and often you have to spend money to fix it. Encrypting ransomware, like Wanna Decryptor, brings greatest gain to its makers, and major damage to its victims."

Global attack: At least 74 countries affected

The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the US National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.

Russia appeared to be the hardest hit, according to security experts, with the country's Interior Ministry confirming it was struck.

All told, several cybersecurity firms said they had identified the malicious software, which so far has been responsible for tens of thousands of attacks, in more than 60 countries.

That includes the United States, although its effects there did not appear to be widespread, at least initially.

In the US, FedEx reported its Windows computers were "experiencing interference" from malware, but would not say if it had been hit by ransomware.

Chris Wysopal of the software security firm Veracode said criminal organisations were probably behind the attack, given how quickly the malware spread.

"For so many organisations in the same day to be hit, this is unprecedented," he said.

The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a group that has published what it says are hacking tools used by the NSA as part of its intelligence-gathering.

Shortly after that disclosure, Microsoft announced it had already issued software "patches" for those holes.

But many companies and individuals have not installed the fixes yet or are using older versions of Windows that Microsoft no longer supports and did not fix.

By Kaspersky Lab's count, the malware struck at least 74 countries.

In addition to Russia, the biggest targets appeared to be Ukraine and India, nations where it is common to find older, unpatched versions of Windows in use, according to the security firm.

Spain, meanwhile, took steps to protect critical infrastructure in response to the attack.

Authorities said they were communicating with more than 100 energy, transportation, telecommunications and financial services providers about the attack.

Spain's Telefonica, a global broadband and telecommunications company, was among the companies hit.

Patients told only to attend A&E only if "absolutely necessary"

Hospital trusts and GP groups in Lancashire and Hertfordshire were among those reporting problems, with one warning patients to only visit hospital accident and emergency departments "if absolutely necessary".

Blackpool Teaching Hospitals NHS Trust and the resort town's clinical commissioning group (CCG) warned of problems.

The CCG tweeted: "We are aware of an IT issue affecting some GP computer systems.

"Patients are asked for understanding whilst the issue is resolved.

"Please avoid contacting your GP practice unless absolutely necessary. Should you wish to obtain non-urgent medical advice, please call 111.

"Please also only attend the Walk-In Centre and A&E department if absolutely necessary."

Derbyshire Community Health Services Trust tweeted: "We are aware of a major IT secure system attack.

"All IT systems have been temporarily shut down. More information will be available shortly."

A conversation circulating online saw one doctor saying "our hospital is down".

"We got a message saying your computers are now under their control and pay a certain amount of money," the messages read. "And now everything is gone.”

Affected NHS trusts said that IT systems had been shut down in order to protect them. That meant that all systems were offline and hospitals were unable to accept incoming calls.

East and North Hertfordshire NHS trust also said that it was asking people not to come to A&E, but instead to ring 111, or 999 in the case of an emergency.

“To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need," a spokesperson for the trust said.

A Barts spokesman said it was experiencing "major IT disruption" and delays at all four of its hospitals, The Royal London, St Bartholomew's, Whipps Cross and Newham.

He said: "We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.

"We are very sorry that we have to cancel routine appointments, and would ask members of the public to use other NHS services wherever possible.

"Ambulances are being diverted to neighbouring hospitals."

NHS IT security boss warned cyber attacks would affect patient care

The man responsible for IT security in the NHS recently warned that cyber attacks "have and will affect patient care".

Writing in National Health Executive magazine in February, NHS Digital's head of security Dan Taylor said: "The NHS is moving quickly to realise the fight to protect our critical information assets and systems starts on the frontline with our people, then our processes, backed up by technology.

"I'll say this upfront: cyber-attacks have and will affect patient care.

"It is no longer just about our email or our IT but the digital transformation, which means delivery of care is underpinned by working software."

What is 'Wanna Decryptor' ransomware?

Ransomware does not traditionally aim to steal personal or sensitive data held on a computer or system, instead focusing on blocking access to and threatening to delete files.

Aatish Pattni from cyber security firm Check Point, said the version of Wanna Decryptor used in the attack was a new piece of malware.

"The ransomware used in this attack is relatively new - it was first seen in February 2017, and the latest variant emerged earlier today, Friday 11 May," he said.

"Even so, it's spreading fast, with organisations across Europe and Asia being hit.

"It shows just how damaging ransomware can be - and how quickly it can cause disruption to vital services.

"Organisations need to be able to prevent infections taking hold in the first place, by scanning for, blocking and filtering out suspicious files content before it reaches their networks.

"It's also essential that staff are educated about the potential risks of incoming emails from unknown parties, or suspicious-looking emails that appear to come from known contacts."

A map showing the spread of 'Wanna Decryptor' infections around the world is available here.

How can ransomware infection be prevented?

Security experts say users should ensure their computer software is always up to date. Often important security updates are contained within these downloads and can prevent known viruses from infecting a device.

Users should also be vigilante in relation to email and not open any links or downloading attachments in emails from unfamiliar or possibly suspicious sources.

Experts also warn that software, apps and other programs should never be downloaded from unofficial sources as this is another common method for hackers to secretly install malware onto computers.

Pete Turner, from cyber security firm Avast, said: "It's critical that organisations and employees, particularly those in our most critical sectors like healthcare, start to think pro-actively about how to protect themselves from ransomware."

Further information on how to protect systems from ransomware is available from the National Cyber Security Centre.

National Cyber Security Centre to play central role in response

Experts at Britain's new dedicated cyber security headquarters will play a central role in responding to and investigating the NHS computer attack.

The National Cyber Security Centre began operating in October last year before being officially opened by the Queen in London in February.

Underpinned by a £1.9 billion government cash injection, the facility is part of intelligence agency GCHQ.

It was established to spearhead the UK's work to counter the mounting threat against the country's infrastructure and economy from cyber criminals and hostile states.

In the three months after the centre was launched, there were 188 "high-level" attacks, as well as countless lower-level incidents.

Chancellor Philip Hammond disclosed earlier this year that the NCSC had blocked 34,550 potential attacks targeting UK Government departments and members of the public in six months.

The NCSC's website says it was set up to help protect critical services from cyber attacks, manage major incidents and improve the underlying security of the UK internet through technological improvement and advice to citizens and organisations.

Senior figures have stressed that attacks are inevitable.

Speaking at its official opening, the NCSC's chief executive Ciaran Martin said: "We're a prosperous, digitally advanced, important country so people are going to attack us.

"That's a fact of modern life. But when someone attacks the UK, I want them to think of us as the hardest of targets. We're good at cyber security in the UK. But we need to get even better."

Patients' Association condemns attack

The Patients' Association condemned the criminals behind the cyber attack on the NHS but said lessons from earlier incidents had not been learned.

In a statement the group said: "We should be clear that responsibility for today's apparently extensive attack on NHS IT systems, and for any harm that occurs to patients as a result, lies with the criminals who have perpetrated it.

"From reports so far, the attack appears to have been highly coordinated and aggressive and a police investigation will no doubt be required.

"However, that something of this sort could happen will surprise few people.

"It has long been known that the NHS struggles with IT in multiple respects and that this includes serious security problems.

"Though today's may be the largest attack of this sort, it is not the first - yet the lessons from earlier incidents have not been learnt.

"The power of IT in transforming services for patients is undoubted, yet the NHS has struggled to harness it: centralised approaches have failed badly, while smaller scale local projects can easily give rise to huge variations in both quality and security.

"We are seeing today that IT security is critical to patient safety.

"Addressing it effectively and quickly is essential and requires appropriate investment.

"In this election period, we must look to our political parties for leadership - now is not the time to be squeamish about the cost of keeping our NHS secure."

Shadow Health Secretary Jonathan Ashworth said the attack was a "real worry for patients.

"Our hard-working NHS staff are already operating under unprecedented pressure and should be given every support to help the public in the face of these malicious and disturbing actions.

"This incident highlights the risk to data security within the modern health service and reinforces the need for cyber security to be at the heart of government planning. The digital revolution has transformed the way we live and work but we have to be ready for the vulnerabilities it brings too.

"The Government need to be clear about what's happened and what measures they are taking to reduce the threat to patients.

"The safety of the public must be the priority and the NHS should be given every resource to bring the situation under control as soon as possible."

Dr Kubo Macak, senior lecturer in International Law at the University of Exeter and an expert on cyber warfare, said: "Early reports indicate that today's cyber operations against the NHS may affect the care for many hospital patients, with potential impact on their health and lives.

"As such, if investigation shows that the cyber attack was directed by an outside state, it would amount to a violation of the UK's sovereignty prohibited by international law.

"However, regardless of the origin of the attacks, the situation confirms how important it is to maintain resilience of the national critical infrastructure, including in the public health sector."

Earlier on Friday Britain's intelligence service GCHQ tweeted: "We work against cyber threats, terrorists and those up to no good, because keeping Britain safe is what we do." The agency made the post to celebrate National Limerick Day. It was mocked by Twitter users following news of the NHS attacks.

The latest hack comes months after Barts Health Trust, the largest NHS trust in England, was hit by a ransomware cyber attack.

The trust sent a message to staff urging them not to open email attachments from unknown senders.

Belfast Telegraph Digital

Weekly Business Digest Newsletter

This week's business news headlines, directly to your inbox every Tuesday.