During the early hours of Friday 14 May 2021, the national and local IT systems of the Health Service Executive (HSE), Ireland’s equivalent of the NHS, were hit by a cyberattack.
The perpetrators, suspected to be a Russian-based criminal gang, had used one type of software to infiltrate the systems, which opened the door to the deployment and activation of another type of software – a ransomware package known as Conti. It began to delete back-up functions, disable key security protocols and encrypt vital files.
Hospitals across Ireland lost access to electronic records, services were disrupted, appointments were cancelled, and some medical equipment was disabled.
Data had also been compromised. The gang claimed it had patient details, employee records and financial information, and reportedly demanded a ransom of €16.5m to prevent the release of the data and to decrypt the files. The job of restoring the affected systems has been gradual, with 95% of servers and devices back up and running by September 2021.
The NHS has what we call a large cyberattack surface, a big outside edge, because we're a large sector with lots of people and devices.
Across the world, cybersecurity experts have looked closely at the HSE attack and its aftermath. Steve Fenwick, NHS Digital’s head of cybersecurity operations, says it is the most prominent example of the growing ransomware threat affecting a national healthcare system.
Phil Huggins, Interim National Chief Information Security Officer at NHSX, emphasises that ransomware is not necessarily the preserve of organised crime. “The main concern with ransomware is that it’s indiscriminate. The NHS has what we call a large cyberattack surface, a big outside edge, because we're a large sector with lots of people and devices.
"So, if you're a criminal who's trying to steal a bit of money from just anybody, we're a big chunk of that. They may not necessarily be targeting healthcare and possibly don't even understand they’ve picked on somebody with primary care responsibilities. They will just hit the system, take control and demand payment because we're there, we're connected and we're vulnerable.”
"Money is not necessarily the only incentive," adds Fenwick. “We see lone actors who maybe have a grudge, don’t have a high skillset, have possibly watched a YouTube video and followed the script. That’s low-level stuff. But the financial crime is the big threat. Whether they steal the data or hold it to ransom, they want the cash.”
It could be you
For a local NHS organisation, the first signs of an attack can be almost imperceptible. It’s crucial to quickly raise the alarm, and engage national support as soon as an issue is spotted. One cyber security manager at an NHS trust in southern England describes an incident he discovered after a routine trawl of the system’s activity logs earlier this year.
He initially found an issue with Exchange, the trust’s email system. An XML (text) file had been changed in the early hours of Valentine’s Day. It was rare for such activity to be carried out on a Sunday.
“I called NHS Digital’s incident number and explained what I'd found and they did think we had a problem.
The back-up from NHS Digital throughout was a huge help. We worked into the middle of the night on this.
“We checked the system and were happy that nobody was actually inside. Within 4 hours of detecting the issue all our accessible points on the internet were fixed, and within 12 hours the rest of the system was locked down.
“The back-up from NHS Digital throughout was a huge help. We worked into the middle of the night on this. At no point did I feel any lack of support. It felt like a proper collaboration. They provided an extra dimension of expertise to our incident response processes.”
NHS Digital incident manager, Martin Jarvis, who manages network security for NHS organisations, said he believed the attack may have been backed by a foreign state: “They had seen suspicious activity on one of the trust’s servers, but on a deeper investigation, we found 6 servers had been infiltrated by a malicious code.
“Using this exploit the group can take control of your mail server and quietly gather information which could be leveraged later or used in preparation for further attacks. With the trust, we were able to ensure the attackers could not continue to use the back door created by the malicious code.”
Central support
Meanwhile, Fenwick says his team is working hard to spot attacks centrally.
“Our job is to spot nefarious activity, help to isolate the device and stop the spread,” says Fenwick. “A lot of activity happens before ransomware is deployed. We have a strong insight into that precursor activity. Our threat intelligence team is always studying the characteristics of threat actors and how they operate. We've stopped a lot of threats at that precursor stage, which is the space we seek to occupy."
That means monitoring much of the vast NHS IT infrastructure across England, encompassing about 1.5 million devices – laptops, desktops, servers and other equipment. “It's an enormous capability to be able to see all that. We are tracking activity every minute of the day.”
If suspicious activity is spotted, the team alert the local organisation, work to help contain the situation and can deploy a forensic investigation capability.
This central role is expanding as the NHS relies more on digital services. Fenwick says the NHS Test and Trace is one example of the importance of cyber security capabilities keeping pace with digital innovation in the system.
The app brought together data from several sources and it was crucial to get the cyber security right. “The task was to put a protective wrap around that,” says Fenwick. “A security operating centre was created from scratch and the architecture developed really quickly.
“Going forward we will continue to strengthen the capability of the security operating centre and ensure we keep apace as threats constantly evolve.”
Getting the basics right
Alongside that central support, Gregg Calter, delivery lead for the cyber programme at NHS Digital, stresses that everybody working for the NHS needs to be aware of cyber threats and take simple measures to offer an additional level of protection.
This includes keeping devices up-to-date with the latest software and patches, locking screens if computers are left unattended, using varied and strong passwords and being aware of what to do if you receive suspicious emails.
These measures need to be enacted consistently well right across the NHS. This is a major challenge for such a huge service that is the sixth largest employer in the world.
"So it is important to have a robust security framework and have plans in place if an organisation is compromised such as backing up data and making sure it is well protected," says Calter. "Just this one step can save a lot of pain."
NHS Digital’s Keep I.T. Confidential campaign can help organisations to raise awareness of the threats we face, and to encourage simple behaviours from their staff, which can prevent them and the organisation falling victim to an attack.
Our Data Security and Protection Toolkit is also an important resource, providing health and care organisations with an online self-assessment tool to measure their performance against the National Data Guardian’s 10 data security standards. All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they are practising good data security.
Related subjects
Last edited: 17 July 2023 12:35 pm