NHS Ransomware Attack – Next Steps to Reassure Patients

London, 12th May 2017 - It’s not often that a hospital can be considered the patient, but that is exactly what is happening today with the news that the UK’s National Health Service has suffered a cyber security incident, with many hospitals around the country infected with ransomware.

According to Fifth Step CEO Darren Wray, who advises private and public sector organisations how to manage all aspects of their technology defences, Business Continuity Planning and Incident Response Plans:

“Today’s attack has resulted in computer systems and patient records being greatly impacted if not completely impossible to access. For those parts of the NHS that have been impacted the clock is now ticking. The files and systems that have been encrypted can be unlocked by paying the ransom (within 24 hours of the machine becoming infected), or by the hospitals instigating their incident response plan.”

What will those working on the incident be doing now, and what path will they be following?

Wray said: “Firstly, a multi-departmental incident response team will have been alerted to the breach. This will include people from across the hospitals, including doctors, nurses as well as people from physical security, IT security and IT itself. The primary purpose of this team will be to keep patients safe during the incident, contain the problem, and return the hospital to normal operations as quickly as possible. The team will work with law enforcement (the National Cyber-security Centre has been mentioned as well), and where appropriate obtain evidence.”

Organisations such as the NHS typically have well-practiced incident response plans in place. These always need to be able to answer the key questions:

• What are we trying to protect?
• What are we protecting against?
• How will we know we’ve had an incident?
• What do we do to recover (scenario by scenario)?
• How do we improve our security and processes to prevent a reoccurrence?

Wray say: “The IT security and IT teams will be at the frontline in returning the hospital to normal operations; they will be assessing the nature of the incident, and assessing their options. Like any organisation that finds itself in this situation, the options will depend on how well prepared they were for this scenario.”

For ransomware, this will include:

• Identify and isolate infected machines from the network
• Restore infected machines from backups
• Where backups are not sufficiently recent or don’t exist, pay the ransom.

Wray said: “While limited details have been released about how this infection got into the hospitals, the fact is that that it occurred in multiple locations in a short period. It means that IT specialists as well as doctors and nurses are going to be spending their time this evening working to resolve the problem. All we can do at this point is to thank them for their dedication, and to wish the hospitals a speedy recovery from this particular virulent infection.”