Operations Cancelled After Three UK Hospitals are Crippled by Computer Virus

Cyberattacks on healthcare providers in the United States are occurring at an alarming rate; however, it is not only U.S healthcare organizations that are being targeted by cybercriminals.  Over the weekend, a major security incident was reported by a National Health Service Trust in the United Kingdom.

The incident has resulted in computer systems being taken offline and appointments and scheduled operations being cancelled at three UK hospitals – Goole and District Hospital, Princess of Wales Hospital in Grimsby, and Scunthorpe General Hospital – while a virus is removed.

Trauma patients have been redirected to other hospitals, all planned operations have been cancelled, and all non-urgent medical services have stopped while the NHS Trust deals with the infection.

A virus was discovered on the network of the Northern Lincolnshire and Goole NHS Foundation Trust over the weekend. Cybersecurity experts were consulted and the NHS Trust was advised to shut down its computer network to prevent the spread of the infection and to allow the virus to be isolated and destroyed. The exact nature of the virus is not known, although an incident as severe as this that has forced an almost total network shutdown indicates suggests the attack involved ransomware.

Without access to computer systems, physicians have had to resort to pen and paper to provide medical services to inpatients; however, all appointments and operations from Sunday through Wednesday were cancelled with few exceptions.

The NHS Trust expected to be able to bring its systems back online by Wednesday. Not all systems have been restored, but the majority of systems are now back online and normal service is now resuming. Appointments and operations on Thursday November 3 will proceed as scheduled.

Healthcare organizations are in the firing line and cyberattacks are to be expected. If those attacks result in the oss of access to healthcare data, this naturally can an impact on patient safety. The NHS Trust confirmed in a statement that patient safety was not put at risk, but services were severely disrupted and patients were required to be redirected to other medical facilities.

Incidents such as this clearly demonstrate how important it is for healthcare organizations to be prepared, which means developing and testing a detailed cyber incident response plan. Should an attack occur, the impact on patients can be minimized.

As Tim Erlin, senior director of IT security and risk strategy for Tripwire explained to HIPAA Journal, “The worst time to create an incident response plan is during an incident.  At this point, there can be little doubt that cyber-attacks can impact human safety. We’re no long talking about protecting data, or credit card theft alone.”

Erlin went on to explain, “Hospitals and other medical facilities need to recognize the impact that these incidents can have on their operational status, and take proactive measures to implement foundational controls for information security. Implementing basic controls for systems that affect patient care needs to be as standard as sterilizing equipment.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.