Britain’s NHS reels from a ransomware attack
The threat of ransomware, the process of stealing or encrypting data for the purposes of extortion, is increasingly obvious. In Britain in recent years local councils, water companies and a supplier to the Ministry of Defence have all been attacked by criminal gangs. Last year the website and other online services at the British Library went down as a result of a cyber-attack; the outage is still not fixed. On June 3rd ransomware came for the National Health Service (NHS).
The attack has been attributed to Qilin, a Russian criminal group; the British government appears to have hit back by taking down the gang’s dark-web site. Qilin’s assault targeted the IT systems of Synnovis, a health-care firm that processes around 100,000 blood tests per day, rendering its data unusable. Several hospital trusts—including two London teaching hospitals, Guy’s and St Thomas’, and King’s College Hospital—have been affected by the attack. So have primary-care providers in six London boroughs.
The attack has hit a wide range of hospital services, forcing them to revert to paper records and hand-signed deliveries. Hundreds of urgent procedures, including emergency operations, Caesarean sections and cancer referrals, have been cancelled. Medical students are being asked to volunteer to hand-deliver blood tests. In transfusion centres, staff have been unable to match patients’ blood types, risking their ability to give life-saving treatment. On June 10th the NHS issued an urgent call for donors of O-positive and O-negative blood, which is safe for all patients.
Routine blood tests have also been affected. “It’s had a significant impact,” says Dr Sebastian Kalwij, a general practitioner in Lewisham. Tests to diagnose conditions or to monitor chronic diseases like diabetes or the effects of medication are being delivered by post. The tests are piling up; delays are expected to continue until at least the end of the month.
Although the details of the attack are still emerging, it raises serious questions. Some are narrowly about this incident. Synnovis is a partnership between SYNLAB, a German firm, and Guy’s and St Thomas’ and King’s College Hospital NHS Foundation Trusts; many will be asking if their cyber-security defences were robust enough. The scale of the impact suggests that the affected organisations’ incident-response plans may have been undercooked. “Somewhere something hasn’t really worked,” says Awais Rashid, a professor of cyber-security at the University of Bristol.
Other questions are much broader, and go to how seriously Britain is taking threats to its critical infrastructure. The country is not alone in its vulnerability to ransomware. Attacks on health-care organisations have long been on the rise, with incidents in America increasing by 130% to 258 in 2023. But this is not the first time the NHS has suffered serious disruption. In 2017 a piece of North Korean malware known as WannaCry took out hundreds of thousands of computers in over 150 countries. Though this was not a targeted attack, over 700 NHS organisations and affiliates were affected. Ambulances were diverted when their tech became unusable; thousands of appointments were cancelled.
South-east London, the NHS integrated care system (ICS) most affected by the latest attack, does at least appear to have had a cyber-security plan. But according to research by the Health Service Journal, 27 of the other 41 ICSs in England do not have such a strategy; the national programme to help develop them recently had its funding cut in half. That seems mad. In December a parliamentary committee warned of the particular vulnerability of cash-strapped NHS bodies to cyber-attacks, noting that owing to crumbling IT services and underinvestment, many trusts lack the capacity to perform even “simple upgrades”. “This attack should be a wake-up call,” says Steve Sands, who chairs the Information Security Specialist Group at the Chartered Institute for IT. That has been said before. ■
Correction (June 21st 2024): In an earlier version we said that Steve Sands chairs the Chartered Institute for IT. Mr Sands is actually the chair of the institute’s Information Security Specialist Group, not the whole organisation. Sorry.
For more expert analysis of the biggest stories in Britain, sign up to Blighty, our weekly subscriber-only newsletter.