NHS major 'cyber incident' forces hospitals to use pen and paper
- Reference: 1732797070
- News link: https://www.theregister.co.uk/2024/11/28/wirral_nhs_cyber_incident/
- Source link:
We have reverted to our business continuity processes and are using paper rather than digital in the areas affected
The Wirral University Teaching Hospital NHS Trust updated its official line on the incident on Wednesday evening, revealing new details about the case, but remains coy about the true nature of the attack.
"After detecting suspicious activity, as a precaution, we isolated our systems to ensure that the problem did not spread. This resulted in some IT systems being offline," the updated statement said.
"We have reverted to our business continuity processes and are using paper rather than digital in the areas affected. We are working closely with the national cybersecurity services and we are planning to return to normal services at the earliest opportunity."
When organizations talk about isolating and pulling systems offline, it's usually the wording that later becomes associated with a [1]ransomware incident . It has not confirmed whether or not that is the case, however.
[2]
The trust went on to say that services are still available, although some scheduled appointments "are affected" without specifying how, adding that some procedures were postponed.
[3]
[4]
Patients are advised to continue attending scheduled appointments with their appointment letters in hand unless told otherwise.
The trust is [5]responsible for Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children's Hospital. It also provides some [6]services at St Catherine's Health Centre, and Victoria Central Health Centre, Wallasey.
[7]
Before the update on Wednesday evening, the trust's statement included the following: "Maternity services are running as normal. All antenatal appointments, community midwife appointments, scans, and post-natal visits are continuing as usual. Please still attend maternity appointments unless contacted otherwise. The 24-hour emergency triage service is running as normal."
This section has since been removed.
[8]Another 'major cyber incident' at a UK hospital, outpatients asked to stay away
[9]NHS to launch 'real-time surveillance system' to prevent future pandemics
[10]Former Facebook lobbyist joins UK comms regulator as non-exec director
[11]NHS would be hit by 'significant' costs if UK loses EU data status, warn Lords
The [12]incident was first disclosed on Monday evening , at which point the trust discouraged people from visiting affected hospitals' accident and emergency (A&E) departments unless their condition was serious and/or life-threatening. Genuine emergencies included but weren't limited to chest pains, choking, blacking out, serious blood loss, and strokes.
"Serious injuries" were included in this list originally, but updated guidance indicates that things like bone breaks and joint sprains should instead first be seen by an urgent treatment center (UTC), in line with wider NHS policy.
UTCs differ from A&E departments. UTCs are typically only open for around 12 hours a day whereas A&E is open 24/7.
[13]
Those who need to visit a UTC outside of working hours should of course visit A&E instead, but those who decide to visit, regardless of the severity of their condition, are warned of longer-than-usual waiting times.
"The trust continues to prioritize emergency treatment but there are likely to be longer than usual waiting times for unplanned treatment in our emergency department and assessment areas." ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z0ihsv9jyF4FcyWCI7UIigAAAEc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0ihsv9jyF4FcyWCI7UIigAAAEc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0ihsv9jyF4FcyWCI7UIigAAAEc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.wuth.nhs.uk/our-locations/
[6] https://www.wuth.nhs.uk/our-locations/community-locations/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z0ihsv9jyF4FcyWCI7UIigAAAEc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/
[9] https://www.theregister.com/2024/11/08/nhs_realtime_surveillance_pandemic/
[10] https://www.theregister.com/2024/11/05/facebook_lobbyist_ofcom/
[11] https://www.theregister.com/2024/10/23/uk_eu_data_adequacy/
[12] https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z0ihsv9jyF4FcyWCI7UIigAAAEc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
while scheduled procedures are canceled
Bring back matrons. Proper matrons, not gloried "managers". They would get things running again.
Re: while scheduled procedures are canceled
With respect, no they wouldn't. The issue is simply that, when the IT system(s) stop working, Business Continuity (going back to pen and paper in many cases) slows down the process back to those Matronic levels which means not as many patients can be seen, tested and treated in any given timeframe so the backlog, usually in Critical Care settings, increases and can get to a point where the A&E doors are closed. Cancelling non-urgent care, as bad as it is, protects the Critical Care services from getting so clogged up they need to shut.
Re: while scheduled procedures are canceled
No to mention Radiology reporting would be majorly impacted with reporters having to view imaging on the actual medical imaging modality rather than a viewing workstation with no prior imaging available for comparison. This impacts flow throughout a hospital with Ambulances stacking up outside unable to get patients in and bed log jam at the other end.
Not sure how "Matron" is supposed to fix that.
Re: while scheduled procedures are canceled
<....."....with Ambulances stacking up outside unable to get patients in....".....>
This seems to be normal at many UK hospitals nowadays anyway, even with all the IT working perfectly and the full complement of staff in A&E :(
Re: while scheduled procedures are canceled
(looks out window at ambulance bay) - well.... yes
Re: while scheduled procedures are canceled
"the full complement of staff in A&E"
The clinicians I know would argue that they've never seen an A&E with the full complement of staff. They're always complaining of staff shortages.
Total Barstewards
Those that do this, to hospitals, schools, and other organisations that are a soft target but provide critical services, are a bunch of handjob artists who deserve to have their tackle removed with a pair of pruning shears, fried in butter and served to them on toast. Defenders must block every hole, the attacker needs to find just one. At the same time, with systems as numerous and complex as those in healthcare and with no money available, it's not possible to establish meaningful contingency options (other than paper an pen).
Now think of all the state actors who've planted their digital "sleepers" in the systems of every one of our critical services, just waiting to press the big red botton ... like the Israelis did with the pagers (albeit they added a gruesome and unnecessary physical payload).
Not the first
1) Do all the NHS hospitals/primary care groups/etc. run such disparate systems that lessons cannot be learnt from the first incursion and spread across the whole organisation?
2) Is money or manglement so tight, or staff so overworked, that precautions cannot be put in place?
3) Is the whole NHS computing so far out of date that most of it is not supported?
The first question is a genuine question about learning best practice.
For the second two, I think most people know the answer already :-(
Re: Not the first
To answer your first question: Yes.
There's a lot of work across local Integrated Care Boards (the new CCGs it seems) to try to do more joined up thinking. However, each organisation (GP, Local Hospital Trust, wider Hospitals Group) are individually funded and run with different levels of Technical Maturity/Technical Debt and different clinical priorities which directs or diverts funding/attention. I can say that it's getting a lot better with, for example, NHS England, paying for Windows E5 licences so everyone can at least get MDE on the desktop and server environment and provide assistance from the NCSOC. Everything else is the wild west.
Re: Not the first
1) Workflow throughout a hospital is dependant on information from various computerised systems, you unlink those systems and departments are running at 50% speed IF you are lucky.
2) Precautions are in place and plans are made for these situations - this is the mentioned contingency plans.
3) No - it's a cyber attack - you have to isolate systems,
Re: Not the first
The answers to 2 & 3 determine the answer to 1.
not really a surprise.
Clatterbridge hospital was still using token ring at least a decade after everyone else had moved on to ethernet (I quite like TR but it was obsolete a very long time ago), their IT department was a fucking shambles and utterly chaotic, they didn't know their arse from their elbow.
Twenty five years ago
Twenty five years ago I was the network admin for a secondary school which just got its first Internet connection. Before releasing it to all an' sundry, we implemented things like strict proxy servers and firewalling, to prevent computers just arbitrarily connecting out to the Internet.
We allowed port 80 and 443 access to all domains, unless they were on a content filtering blacklist (initially, and then category-based filtering as time went on). But overall, we prevented access to the net for most things, unless there was a good reason to not. We did MITM SSL inspection too, and pushed our CA certificate to domain-joined workstations (and there was no guest wifi).
Back then (he says, bring his blanket a little closer and the ash from his pipe flaking in his beard) there were less threats and more control. Now it seems like we have more threats and less control: pesky CDNs and AWS/Azure VMs means you can't just block a range, or even a domain name sometimes, as it's shared by something else. Everything is dynamic, and we seem to have reduced our ability to respond appropriately: "just let the machine do whatever it wants" seems to be the default firewall setting.
Why aren't we segmenting our LANs from our WANs properly anymore? Why is it the default to just let the computer, the phones, the IoTs do whatever they want on our networks and down our pipes?
Re: Twenty five years ago
We do that where I am employed, we've moved from a properly segmented LAN to Azure and no local control, we can't lock machines out, there are "ghost"achiness which don't appear in any of ouranagent tools but still have access to our resources, our network is actually just one great big WiFi hotspot and the two gaping big holes in our local admin rights policy I've spotted and demonstrated to our CISO are still wide open.
I'm attending an interview tomorrow for a new job because I'm sick of screaming my years of experience into the void trying to explain to business grads in management how IT works and how users think.
It shouldn't make too much difference.
And not just because it has been a mess for years due to Covid, Brexit staff shortages and strikes.
Most hospitals function a little like trench warfare. For long periods of time, nothing much happens. Doctors wait for test results or scans. Patients wait for doctors. It can get full in A&E, but in general, hospitals worked fine with paper (or at least whiteboards) for decades and still will. They should isolate an internal network and airgap it with staff. If a companion net-connected network goes down, they can still operate the internal systems. Hospitals always used to use fax, and having that still working would be helpful. As it is, they will have to use their smartphones for visual stuff and communication.
Each time this happens it is a lesson in the need for better basic security and a viable backup. How many places actually act on that is questionable.
If the NCSC are involved then it is most likely malware and won't be fixed for some time.
The COVID internet
Healthcare worldwide and the NHS has resolved all the problems we saw worldwide a few years ago - healthcare is so good, it's kept me super healthy and never been infected (icon)!!!
But all the internet communications problems have never been more than occasionally investigated and solved - we need to accept that it's still Cybersecurity Organized Viral Internet Defections risking everyone and everything on the Internet. This is just an opinion about all the risks these days, not a joke.