You’re sitting at your desk, checking your emails. ‘See attached scan,’ says one. You click on the attachment but it doesn’t open, so you carry on working. Five minutes later, a pop-up box appears on your screen. All your files have been frozen, it says. You won’t be able to get them back unless you pay a hefty ‘fine’ in Bitcoin. Worse, you start to hear complaints from other colleagues. The same thing has happened to them. The department – possibly the entire hospital – has no information technology. What’s going on?
You’ve been the victim of a ransomware attack, one of the biggest risks facing healthcare organisations today. Successful attacks have caused severe disruption to hospitals in Germany and the US. With the NHS target for paperless working within four years, the stakes for cybercrime are higher than ever.
What is a Cybercrime Attack?
There are two common types of cyber attack:
Distributed denial of service attack, wherein websites are attacked by multiple simultaneous requests, resulting in the website crashing, sometimes for days or weeks.
A ransomware attack, wherein files on a network are locked by malware. This is often sent in an email attachment or link and usually followed by demands for payment to unlock the files. Clicking on infected websites can also launch ransomware. As well as locking data, some malware has the capacity to ‘scrape’ the data, meaning it could be stolen or manipulated.
The first is a major problem for organisations that have lots of online customers – for example, online banks or retailers. The best defence is to have a lot of back-up server capacity. These type of attacks are becoming less common, as ransomware attacks rise.
Ransomware attacks are simpler to carry out. Malware is available on the criminal fringes of the internet for criminals to buy and use, and digital currencies such as Bitcoin make it easier to demand payment.
Could it happen to you?
Daniel Taylor, Director of Data Science at NHS Digital (formerly the Health and Social Care Information Centre), says: ‘It is absolutely something that could happen and I think in the past we’ve been afraid to make statements about this. We’ve shied away from the idea that a successful attack could actually affect patient outcomes.’
He said they’d advised ‘a handful’ of trusts who’ve come under attack in the past 12 months. Although there have been no ‘drastic consequences’ to date, he points to a ransomware attack on Lincolnshire County Council in January 2016, which shut down the council’s IT services for almost a week. Staff resorted to paper and phone calls while servers, systems, hardware and data were isolated and checked.
‘At this moment in time there isn’t either the capability or the intent to do serious harm in health and care. What we’ve seen, we’ve been able to manage and deal with appropriately without an impact on services. But we know the threat exists,’ says Taylor.
John Clarke, Chief Information Officer at University of Hospitals Leicester NHS Trust, says the trust has been subject to one attack, which failed because they don’t store data on individual machines.
‘It was a relatively small thing affecting one single machine,’ he said. ‘A clinician clicked on a link that had somehow got through the layers of security. The first I knew was when he called up my office to ask if he could use the corporate credit card to pay the engineer on the phone. It was only one computer and we dealt with it.’ But he’s far from complacent.
‘We’re trying to move to technologies that are inherently safer than the old-fashioned ones. I’m not saying it couldn’t happen to us again, but we do everything we can to minimise that,’ he said.
Jonathan Lee, healthcare sector manager for digital security providers Sophos UK, says most attacks so far have been random, rather than aimed at the NHS. But he worries that cybercriminals could launch more focused ‘spear-fishing’ attacks, using plausible emails that seem to come from colleagues. ‘As health data are very valuable, we may start to see targeted attacks,’ he predicted, adding that because NHS staff work long hours under high pressure they are vulnerable to these sort of attacks.
The Care Quality Commission carried out an audit of the safety of patient data in the NHS, published in July 2016. They concluded: ‘There was evident widespread commitment to data security, but staff at all levels faced significant challenges in translating their commitment into reliable practice.’ They found ‘very varied’ quality and access to cybersecurity training, even among those responsible for data security. Perhaps most telling, the report found that ‘data security policies and procedures were in place at many sites, but day-to-day practice did not necessarily reflect them’.
A survey conducted by PWC in 2015 into information security breaches found that 69% of large organisations had been attacked by an unauthorised outsider in the past year – a big jump from 55% in the previous year. If attacks continue to rise, most NHS trusts can expect to be targeted at least once per year.
What could happen?
The effects of a successful attack are immediate. ‘The impact on patient care is that you haven’t got access to the all the systems you need,’ says Lee. ‘Patient data becomes inaccessible, you haven’t got access to email, diagnostics – all the things you need to do your job.’
One surgeon who’s seen the effect of having IT access compromised is Helen Fernandez, a neurosurgeon at Addenbrookes Hospital in Cambridge. Addenbrookes suffered significant problems when it switched to a new electronic hospital record system in 2014.
‘The whole system wasn’t broken, but certain parts weren’t working properly. Requesting transfusions and blood tests – the doctors and nurses could see the requests but they weren’t being seen by the labs,’ she said.
Although this slowed everything down, the workaround system was that ‘we just went back to using a paper system’ until it had been sorted out. However, ‘paper has completely gone now, so there wouldn’t be that workaround. I’m not entirely sure what would happen if there were similar problems [again],’ she says.
In her experience of short periods where systems are unavailable, ‘you just have to manage, really. You’re relying on memory and carrying out tasks as best you can without it.’
What if that happened for a week or longer? ‘We would have to stop all elective work and only do emergency and urgent care. I think if we can access them we can print out previous medical records and develop a new paper record. It would not necessarily be safe,’ she warns.
Clarke said Leicester had also experienced problems with access to diagnostic services. ‘Earlier this year we lost the pathology system for five hours and it was causing significant problems. If we lost the patient administration system for a whole week, we wouldn’t know who was coming in for outpatient appointments. It’s bound to affect patient care.’
And it’s not just the access that is at risk. ‘It also affects the integrity of information,’ says Mr Taylor. ‘As we move a massive amount of records to digital, the integrity of the record is ever-more important. If you have records of adverse drug reactions, for example, I wouldn’t like to think about what could happen if that was compromised by an attack.’
What’s the recovery plan?
Disaster recovery shouldn’t mean going back to pen and paper, says Mr Lee. Ensuring regular, secure back-up of data is the quickest way to recover from a ransomware attack.
‘Make sure that you regularly back up all your data and keep it off the network. That’s a quick way of getting back up and running. It’s important that back-ups are time-stamped. Then we can say, at this time we know our data was clean, so we can restore from that,’ he says.
Clarke wants clinicians to think about what’s needed for robust recovery plans, rather than assuming that technology will take care of everything.
‘What we try to do is say to the clinicians: “Imagine that the IT is not there for whatever reason, how are you going to cope?”. It’s about coming together to solve a problem,’ he says. The approach of involving clinicians seems to be working, he says.
At Addenbrookes, however, Helen Fernandez says: ‘I’m sure there must be a system; I don’t know how that would work. Maybe the junior doctors get more training but I wouldn’t know how to manage that.’
Taylor says clinician involvement is crucial for ensuring that cybersecurity gets the priority it needs.
‘It directly affects the patients they see. Until we get clinicians on side to realise the threat exists – it is real, and we all have personal responsibility for data security – we won’t move on at the pace required. My message is: “Get on board, guys, you need to help us”.’
If the NHS as a whole faced a coordinated attack, NHS Digital would work with the Department of Health to set up a ‘command and control centre’ to advise and help NHS organisations, he said. Yet each NHS trust bears the responsibility for its own data security and must have systems in place.
What can you do?
Taylor stresses the need for everyone to take personal responsibility. ‘Cybersecurity shouldn’t lie with the techies,’ he says. ‘All of us in the NHS have a role to understand our personal responsibilities.’
That includes the precautions we’ve all learned to take in our personal online lives – being suspicious of unsolicited emails, not clicking on links or opening attachments we’re unsure about, not sharing passwords or making them easy to guess. However, training is also important. NHS Digital will be launching a national online data security training platform later in 2016, which will be accessible to everyone in the NHS.
Clarke says that data security training is ‘mandatory’ in Leicester: ‘It’s up there with resuscitation training.’ Yet Helen Fernandez says she is ‘not aware’ of data security training. Clearly there’s some way to go to ensure everyone has the training they need.
Lee said there is a lot that can be done technically to protect security, but that NHS organisations lack sufficient staff to do this work. ‘In an investment bank you will have large-scale security teams looking after tools to keep confidential data secure, whereas in the NHS they are spread between doing lots of different things.’ This means, he says, that systems need to be very easy to implement and manage.
Simplified systems, in which people don’t need to log in and out of lots of different interfaces, are one example. He says data should be encrypted, not just on devices that can get lost, but on the system. That way, if an unauthorised user gets access, it will be of no use to them. A recent survey of 250 NHS Chief Information Officers by Sophos found only 10% said that encryption was ‘well established’ within their organisation.
Another innovation that should help is the CareCERT system run by NHS Digital, which monitors data feeds to identify any threats directed at health or social care, or any cybercrime campaigns that are becoming more common. This information is provided to NHS organisations so they can take precautions and make sure staff know what to look out for.
However, the onus is still on the individual.
‘The biggest threat is our people. Across health and care, that’s 1.1 million staff,’ says Taylor. ‘People are going to make mistakes, yes. Of course things are going to happen. At the same time, they’re the first line of defence. It’s about personal responsibility.’
Think for a moment about how your day would pan out without any access to your outpatient or surgery list, diagnostic test results, patient records or internal communications. Is it worth asking what you can do to keep cybersecure at work?