HSE acts after Britain’s health service hit in global cyber attacks

Tools stolen from US National Security Agency used by hackers in attacks in several countries

A woman points to the website of the NHS: East and North Hertfordshire notifying users of a problem in its network, in London on May 12th, 2017. Photograph: Daniel Leal-Olivas/AFP/Getty Images

A woman points to the website of the NHS: East and North Hertfordshire notifying users of a problem in its network, in London on May 12th, 2017. Photograph: Daniel Leal-Olivas/AFP/Getty Images


The Health Service Executive has said it is taking precautionary action to protect its IT systems in the wake of a major cyber-attack that struck organisations across the globe.

Hackers hit a range of targets ranging from the UK’s National Health Service to European telecoms company Telefónica on Friday in a ransomware attack using tools stolen from the US National Security Agency.

Ransomware works by encrypting data on computers after an unsuspecting user clicks on a link in an email, which downloads malware.

The hackers then demand a fee, typically payable in untraceable digital currency, to unlock the computers.

The HSE said it convened a special meeting on Friday night to consider the situation.

“On foot of that meeting it was decided that, as a protective measure, the HSE’s Office of the Chief Information Officer (CIO) would remove all external access to the HSE’s Network to protect the integrity of clinical IT systems throughout our Health System,” it said in a statement, adding that it would continue to monitor the situation.

A spokeswoman declined to comment on the exact measures being taken. The HSE has warned staff not to open any suspicious emails which could expose its network to infection.

A tool known as Eternal Blue developed by US spies was used by the hackers to make an existing form of ransomware known as WannaCry more virulent, three senior cyber security analysts said.

Their analysis was confirmed by western security officials, who were scrambling to contain the attack that hit hospitals and doctors’ practices across the UK.

Infection is almost always made by email, but the latest version of WannaCry spread laterally through the computer networks of infected organisations. The NSA’s Eternal Blue allows the malware to spread through file-sharing protocols set up across organisations – many of which span the globe.

Security officials in the UK, which has been among the countries worst hit, currently believe the attacks are the work of a criminal group, though they are still working to assess the full nature of the attack.

The UK’s National Cyber Security Centre, an arm of GCHQ, has been put into a state of high alert. The speed and virulence of the infection has caught many by surprise.

Operations cancelled

NHS Digital, the arm of the health service co-ordinating a response to the attack, said “a number” of NHS organisations had been affected.

Hospitals in cities and towns such as London, Liverpool, York, Leicester, Derby and Glasgow were forced to close services, including cancelling operations and diverting ambulances to other hospitals. Staff were forced to use pen and paper.

The same or similar virus was used in a large-scale attack on Telefónica, Spain’s main telecoms provider. Telefónica said it had suffered a “cyber security incident” affecting the personal computers of “some” employees.

In Portugal, the police cyber crime unit told local media that “large-scale” ransomware attacks had hit a number of Portuguese companies.

The People’s Daily in China tweeted that similar attacks may have hit China.

About 1,000 computers at the Russian interior ministry were affected by the attack, a spokeswoman for the ministry told Interfax

The NHS said that there was no evidence that patient data had been accessed but it was continuing to assess the damage done by the hack.

Downing Street said that prime minister Theresa May was being kept updated and that Jeremy Hunt, the British health secretary, was being briefed by the NCSC.

Dominic Grieve, chair of the intelligence and security committee, said the government was not complacent about the threat from hackers. “The government has already allocated a colossal amount of resources to this . . . but you can’t have 100 per cent guarantee that you cannot be hacked into.”

In October, Cabinet Office minister Ben Gummer warned that “large quantities of sensitive data” held by the NHS and government were being targeted by hackers – with the potential to disrupt Britain’s energy, water and transport networks.

St Bartholomew’s Hospital, in central London, confirmed it was among the hospitals to have been hit and said it had been forced to cancel routine appointments and divert ambulances to neighbouring hospitals as the “major IT disruption” took hold.

It asked the public “to use other NHS services wherever possible” and said that the IT breakdown was causing delays at all the hospitals withinits trust.

“We have activated our major incident plan to make sure we can maintain the safety and welfare of patients,” it added.

Technicians were turning away patients seeking blood tests and the electronic sign that determines the queue was switched off. “It’s because of the computers,” one staffer told a confused woman.

One person said that managers at all levels were in meetings to assess the attacks.

Paper records

Patrick Ward, a salesman from Dorset, was poised to have open-heart surgery at Bart’s on Friday when the computers went down.

Mr Ward said he had been prepared for surgery when, just before 2pm, “the consultant came and said there’s been a cyber attack and they could no longer do the operation”.

His doctor only performs the surgery for Mr Ward’s condition, which is not life threatening, once a week, on Fridays. Mr Ward said he was told to expect a call on Monday with more information. “I’ve got to wait now.”

A doctor working in a hospital in east London affected by the attack said staff had “turned everything off and we are sitting back and going on seeing patients as we normally do”. Staff had reverted to paper records, he added.

East and North Hertfordshire NHS Trust posted a statement on its website to say it was “currently experiencing significant problems with our IT and telephone network which we’re trying to resolve as soon as possible”. Hospital trusts and GP groups in Lancashire were also reporting problems.

NHS Digital said it was “working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations”.

Vanessa Sandhu, a GP in Braintree, Essex, said: “We got a call from the CCG [Clinical Commissioning Groups] saying there had been a security breach. We all had to shut down our computers and unplug all cables from the walls.

“It was scary - we had no idea what was going on. We didn’t have access to our notes or patient medical records. We couldn’t request blood tests or ultrasounds. We had to disconnect the surgery telephones so we couldn’t communicate with other doctors or patients. We tried to see the patients in the building, but everyone else we told to go home.

“We’ve had to close the surgery for the day. Some hospitals have had to shut down so it’s going to be absolute carnage in A&E if you can’t do emergency tests or get blood results for those most in need.”


In February, a report into the NHS and cyber crime found that 34 per cent of trusts across England, Scotland and Wales had suffered ransomware attacks during the previous 18 months.

Scottish trusts were the worst hit, with almost 60 per cent being attacked, while 79 English trusts, more than 33 per cent, had been affected since June 2015.

Attacks on at least seven of the trusts, including dozens of hospitals, had been successful, which means that data had been locked up by criminals.

In November, a ransomware attack on the Northern Lincolnshire and Goole Trust brought down the systems of three British hospitals, forcing doctors to use pen and paper rather than computers, and leading to the cancellation of hundreds of routine operations and outpatient appointments. The attack lasted five days.

Jonathan Ashworth, shadow health secretary, said the attack was “a real worry for patients” and called on the government to set out what had happened and what measures ministers were taking to reduce the threat.

Copyright The Financial Times Limited 2017 and Reuters