On Friday 12th May 2017 we heard the shocking news that the NHS had been subjected to a large-scale ransomware attack which rendered essential healthcare services unavailable. According to media reports up to 39 NHS organisations and several GP Practices were affected. NHS Digital (the organisation that exists to ‘improve health and care by providing national information, data and IT services for patients, clinicians, commissioners and researchers’) said that there was no evidence that data had been compromised. Earlier this year on the 13th January, Barts Health Trust was also subjected to a ransomware attack.
A ‘ransomware’ attack is a form of cyber-attack that aims to have a debilitating effect by denying key digital resources to the user and literally holding the user to ransom by demanding payment to release those resources. A user might be an individual user/consumer, a commercial business, or a service. In the case reported today we see what appears to be patient data (the key digital resource) affected. This has resulted in the inability to deliver essential healthcare services to patients and with payment being demanded from the NHS organisations to release that data.
The debilitating impact is caused by encrypting the data in a form that renders it unusable (essentially useless) to the systems that use that data. For example, a clinician will need to see a patient record containing essential information on their screen during a clinic session. If this data is inaccessible (because it’s been encrypted) then the consultation is compromised. The ransom demand for payment is to decrypt the data ‘back to normal’.
Ransomware attacks are abhorrent and what is particularly repugnant about this attack is that it has affected our National Health Service which everyday innocent citizens rely on. It has potentially put the lives of those citizens at risk: new-born babies, children, the elderly, the vulnerable and the sick. At this point it may also not be entirely clear if the affected systems can be re-instated to the consistent form they were in before they were hijacked, or if there is any associated long-term impact. This is yet to be determined. The nature of the data in question is also of critical concern e.g. personal sensitive data about individuals, their medical conditions, diagnosis, blood test results, prescribed medication etc. Data that cannot be more personal in nature. Whilst there is no indication at this stage that data has been leaked (i.e. that theft of data has occurred), there is always the risk of further nefarious activity embedded within ransomware attacks that might seek to do this. The thought of this type of data in the public domain is alarming.
Every system is subject to attack with motives including financial gain, political advantage, vanity, revenge, sabotage and espionage. The impact and cost can be disastrous: financial loss, loss of reputation, loss of trust, loss of data – and loss of life. A report published by Symantec last year (2016) summarised that ransomware had reached a new level of maturity and menace, with targeted attacks on business organisations on the increase. Whilst attacks against the Healthcare sector had been widely reported in recent months, it did not appear to be the most frequently targeted sector. This attack is said to be part of an un-targetted wider attack affecting organisations around the world. The real extent of ransomware attacks is perhaps unknown, as there are likely to have been many unreported by organisations for fear of damage to reputation, erosion of consumer confidence, financial loss, and litigation.
The NHS has made significant and commendable strides in embracing the digital ecosystem, including the morphing of the Health and Social Care Information Centre to NHS Digital, and the publication of Local Digital Roadmaps which aim to deliver, ‘primary care at scale, securing seven day services, enabling new care models and transforming care in line with key clinical priorities.’ My hope is that this work continues to grow and strengthen, and in doing so fortifies the digital fence that protects our healthcare service and data, and weakens the efforts of those that seek to harm it.