News: 1733401507

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

British hospitals hit by cyberattacks still battling to get systems back online

(2024/12/05)


Both National Health Service trusts that oversee the various hospitals hit by separate cyberattacks last week have confirmed they're still in the process of restoring systems.

NHS Wirral University Teaching Hospital, which also looks after the nearby Clatterbridge and Arrowe Park hospitals, downgraded its "major incident" to a "business continuity incident" but is still working to bring hospital systems back online.

A spokesperson said in the trust's first statement in nearly a week: "Some services will continue to be affected this week as systems are restored. Anyone with an outpatient appointment is advised to come to their appointment.

[1]

"Emergency treatment is being prioritized but there are still likely to be longer than usual waiting times in our Emergency Department and assessment areas."

[2]

[3]

NHS Wirral said it [4]reverted to pen and paper operations following the attack last week, but the intrusion hasn't yet been claimed by a known crime group.

'Digital gateway service' was the point of intrusion

The same can't be said for the [5]attacks on Liverpool hospitals . INC Ransom took credit for these, which have attracted an overwhelmingly angry reception from onlookers, for the most part due to the impact on Alder Hey Children's Hospital.

Per an updated statement, a spokesperson for Alder Hey Children's Hospital NHS Trust, which also oversees Liverpool Heart and Chest Hospital and Royal Liverpool University Hospital, confirmed the source of the intrusion as an unspecified digital gateway service.

"Criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital. This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital.

[6]

"We have launched an investigation which is still ongoing to determine the full facts around what data has been obtained unlawfully."

Data allegedly taken from the trust's servers was posted online last week, including what appeared to be the personal details of donors to one of the UK's foremost children's hospitals and its patients.

"The attacker has claimed to have extracted data from impacted systems," the statement added. "Screenshots of data the attacker claims to have taken were published online last Thursday. We are continuing to take this issue very seriously while investigations continue into whether the attacker has obtained confidential data.

[7]NHS major 'cyber incident' forces hospitals to use pen and paper

[8]Ransom gang claims attack on NHS Alder Hey Children's Hospital

[9]Ransomware negotiator weighs in on the extortion payment debate with El Reg

[10]A tale of 2 casino ransomware attacks: One paid out, one did not

"The investigation into the data may take some time, and there is a possibility that the attacker may publish the data before our investigation is concluded."

Additional updates about the allegedly stolen data will be provided as soon as the trust is able to, it said, in line with the rules imposed by the Information Commissioner's Office.

[11]

Alder Hey said it has made progress to secure the systems that INC Ransom's crooks targeted and ensuring their access continues to be blocked, although this work is ongoing with the help of the National Crime Agency.

The process of reconnecting the targeted systems is still to be completed, but unlike the trust's counterparts over the Mersey in Wirral, all hospital services remain unaffected and patients are advised to continue attending appointments as scheduled.

Despite calls made from essentially all corners of the infosec industry to stand down the attack, INC Ransom is yet to remove Alder Hey from its data leak site.

The NHS and the UK in general have a longstanding policy to not [12]pay ransom demands . There hasn't been a reported ransom payment from any NHS organization since [13]the WannaCry incident of 2017 , so it's unlikely that INC, or whoever was behind the attacks in Wirral, will receive whatever they're asking for.

And INC should know this already since their affiliates were behind the hit on [14]NHS Dumfries and Galloway earlier this year – another incident for which they weren't paid. ®

Get our [15]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1HcMR54Ytz0ztFCF7URRgAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1HcMR54Ytz0ztFCF7URRgAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1HcMR54Ytz0ztFCF7URRgAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2024/11/28/wirral_nhs_cyber_incident/

[5] https://www.theregister.com/2024/11/29/inc_ransom_alder_hey_childrens_hospital/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1HcMR54Ytz0ztFCF7URRgAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/11/28/wirral_nhs_cyber_incident/

[8] https://www.theregister.com/2024/11/29/inc_ransom_alder_hey_childrens_hospital/

[9] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/

[10] https://www.theregister.com/2023/12/28/casino_ransomware_attacks/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1HcMR54Ytz0ztFCF7URRgAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[12] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/

[13] https://www.theregister.com/2017/05/20/wannacry_windows_xp/

[14] https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/

[15] https://whitepapers.theregister.com/



Doctor Syntax

"A shared digital gateway"

Yet another supply chain attack. Digital supply chains need to be treated as critical infrastructure and held to appropriate standards.

Tom Chiverton 1

Thought was more likely to be poorly secured VPN or remote desktop tbh

Martin Summers

It will be their remote desktop infrastructure for providing access to clinical systems. Likely someone's credentials were nabbed and there was no 2FA on it.

Doctor Syntax

Apparently this scum favours the CitrixBleed exploit which bypasses 2FA. Patches were available in October last year . If that's the case here the hospitals' suppliers have some tough questions to answer.

lglethal

Not paying is absolutely the right thing to do.

Eventually, the attacks will stop on the NHS (probably not completely because of script kiddies, but the actual damaging ones should stop). Purely, because if your a "professional" why waste your time hitting them, when there is no payout.

The sooner everyone stops paying the better, but that's a dream for another day...

wolfetone

" The sooner everyone stops paying the better, but that's a dream for another day... "

That's fine.

But why aren't health services treated as critical services like the national grid? The sooner the government mandates the same level of security and services to our NHS that it requires from the grid (and others) the better.

Doctor Syntax

Because it would cost money?

Anonymous Coward

Healthcare services are an essential service in the UK under the Network and Information Systems Regulations 2018. A Competent Authority will have been appointed to oversee their security.

wolfetone

" A Competent Authority will have been appointed to oversee their security. "

Quite clearly not.

Version 1.0

Network security workers often only have the experience of working to try and prevent the hacks, that's the normal employment environment, hiring engineers and asking them to try and get something done. In my early days I was trying to prevent my company being hacked but frequently saw potential hacks done in new areas and new ways year after year. So I invested my time (no company approvals at all) to learn how to hack my company, often talking with external hackers and I learned how to hack my company.

The good result was that after I had managed to hack it then I was able to prevent all the hacking and we never saw any more problems - but once I prevented it all then I was moved to another job after being told that hack prevention was no longer needed. Since I'd been hacking everything I kept quiet and moved to a new electronics and software environment - LOL I got a nice new job with no risks.

Q: What do Bill Gates and Bill Clinton have in common?
A: Their ratings climb whenever they do something unethical.