Intended for healthcare professionals


Major global cyber-attack hits NHS and delays treatment

BMJ 2017; 357 doi: (Published 15 May 2017) Cite this as: BMJ 2017;357:j2357
  1. Adrian O’Dowd
  1. London

An unprecedented level of disruption hit the NHS in England and Scotland at the weekend after a “ransomware” cyber-attack that paralysed NHS information technology systems across dozens of organisations.

Operations were postponed, appointments were cancelled, and staff were asked to work over the weekend, as trusts put emergency plans into action to deal with the problem, which also affected many different organisations, including FedEx, Renault, and Germany’s railways, in around 150 countries, attacking around 200 000 computers.

On 12 May the virus started to cripple NHS computers. This particular virus, called WannaCry, is a type of computer malware that encrypts data, locks out the user, and demands a ransom from the user before releasing the data.

In England 48 trusts have experienced problems at hospitals, with GP surgeries and pharmacies also affected, and 13 NHS organisations in Scotland. Wales and Northern Ireland seem to have been unaffected so far.

In a statement NHS Digital, the body responsible for ensuring that organisations meet information and security standards, said that there was no evidence that patients’ data had been accessed.

Most NHS organisations were running up to date IT systems, but a small proportion, around 5%, were still in the process of upgrading their devices from older operating systems such as Windows XP, said NHS Digital.

It is thought that the continued use of the Windows XP platform had made the NHS vulnerable to ransomware attack. On Sunday 14 May Microsoft announced that it would be taking the “highly unusual” step of providing a security update for customers using older Windows platforms, including XP. Also on Sunday the UK National Cyber Security Centre said that it knew of no sustained new attacks of the kind seen on Friday. “But it is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected and that existing infections from the malware can spread within networks,” it said.

Politicians raised questions over the government’s handling of technology security, with Labour and Liberal Democrat MPs calling for an inquiry and accusing the government of failing to adequately fund IT and security.

However, the defence secretary, Michael Fallon, said on the BBC’s Andrew Marr Show on Sunday 14 May, “We’re spending around £50m [€60m; $64m] on the NHS cyber-systems to improve their security. We have encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP. We want them to use modern systems that are better protected. We warned them, and they were warned again in the spring. They were warned again of the threats.”

One of the trusts affected, Barts Health NHS Trust in London, said in a statement that it had been working over the weekend to try to keep services open but that some appointments on 15 and 16 May were being cancelled. Although its hospitals remained open for emergency care, some ambulances were being diverted to neighbouring hospitals.

A spokesman for University Hospitals of North Midlands NHS Trust, whose website was closed down at the weekend but is now back online, said that the hospital was running normally again and that patients with appointments should attend unless they had been told not to.

Another affected trust, United Lincolnshire Hospitals NHS Trust, said that it had cancelled all routine activity in its hospitals over this weekend and on 15 May.

In Scotland 13 health boards were affected by the cyber-attack, but most incidents were confined to desktop computers in GP surgeries, dental practices, and other primary care centres.

Scotland’s justice secretary, Michael Matheson, said, “NHS Scotland systems are being recovered. We expect them to have returned to normal by Monday, and it is important to emphasise that there is no evidence that patient data has been compromised. Patients who have appointments booked for Monday and beyond should attend as planned.

“However, we must remain particularly vigilant against further incidents, and the Scottish government is taking action to enhance security, including contacting over 120 public bodies to ensure they have appropriate defences in place.”

Doctors’ leaders said that “inadequate investment” in NHS information systems over recent years could have let the NHS’s defences down.

The BMA’s chair of council, Mark Porter, said, “This cyber-attack on NHS information systems is extremely worrying for patients and the doctors treating them.

“We need to quickly establish what went wrong to prevent this happening again, and questions must also be asked about whether inadequate investment in NHS information systems has left it vulnerable to such an attack.”

GPs were also doing everything possible to help tackle the issue, said the Royal College of General Practitioners. Its chair, Helen Stokes-Lampard, said on Sunday 14 May, “GPs and our teams around the UK are working hard and doing whatever is within our power locally to minimise disruption so that we can provide business as usual—or as close to it as possible—services to our patients tomorrow.

“Indeed, many GPs are in their practices trying to reboot computer systems and install updated patches so that the servers aren’t overloaded tomorrow morning.”

The college said that it had been informed by the provider of EMIS, the clinical software that many general practices use for patient data, that EMIS Web was unaffected and that access remained available.

Anne Rainsberry, NHS England’s NHS incident director, said, “We’d like to reassure patients that if they need the NHS, and it’s an emergency, they should visit A&E or access emergency services in the same way as they normally would, and staff will ensure they get the care they need.

“More widely, we ask people to use the NHS wisely while we deal with this major incident, which is still ongoing. NHS Digital is investigating the incident, and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business.”

The European Cybercrime Centre (EC3), set up in 2013 by Europol to strengthen the law enforcement response to cybercrime in the European Union, said, “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits.”

EC3 was working closely with affected countries’ cybercrime units and industry partners to mitigate the threat and help those affected.

A cyber-security expert speaks

Mark Mangham, director of Vedette Consulting, a management consultancy firm that provides advice, including advice on cyber-security, to various organisations, told The BMJ that even trusts that had the latest operating systems such as Windows 10 but that had not kept up to date with software updates known as “patches” would have been vulnerable to the attack, but to a lesser degree.

“Organisations that had not updated their operating systems had a principal vulnerability,” said Mangham. “Cyber-security is not linear and is not a single wall. It is a combination of different measures, and the rigour and discipline with which they are applied matches to how the level of cyber-risk that has been delivered is successful or not.

“One of the principal ones [measures] is to have your patches and your systems up to date. It seems clear that some of the affected trusts had old systems. It’s not just a question of being affected or not being affected: it’s a question of how damaging an initial attack has been.

“Because there was quite a lot of sophistication in this attack, even trusts and hospitals and businesses that were reasonably well protected will have suffered some impact. The degree of impact suffered by people with old unpatched systems will have been far more acute.”

Underestimating the importance of cyber-security was probably an issue in some areas, he added, saying, “People either don’t have a good understanding of the real risks to information or don’t have a dynamic way of understanding it. IT is seen as being something that specialists do, and the business risk associated with IT is not well understood.”

The way the government had gone about investing in cyber-security was an issue, Mangham added. He said, “The government have made a great degree of effort and have apportioned finance to it, but if you look at what they have mandated, and the standards that they have put out, and things beyond the advice telling you to go to an IT company, I wonder if they have been quite as directive as they might have been.”


View Abstract