Support 100 years of independent journalism.

  1. Science & Tech
7 April 2020updated 01 Jul 2021 12:57pm

Is the NHS safe from cyber attacks?

As hospitals fight coronavirus, is our healthcare system more vulnerable to the demands of cyber criminals?

By Oscar Williams

In May 2017, the NHS experienced a “critical incident” not dissimilar to the crisis currently unfolding in hospitals across the country. As doctors and nurses struggled to meet the demand on their services, they were forced to postpone tens of thousands of all but the most urgent operations, risking patients’ lives and costing an already austerity-stricken health service nearly £100m.

But while this particular incident shared some similarities to the coronavirus crisis, it was triggered by a different kind of viral outbreak. Hackers linked to the North Korean government had released a ransomware virus that quickly spread across the web. Dubbed WannaCry, the virus encrypted computer networks around the world, bringing organisations that had failed to update their Microsoft software, including dozens of NHS trusts, to a screeching halt.

Now, as Covid-19 threatens to plunge the NHS into unprecedented crisis, Interpol is warning that hospitals and other healthcare organisations are facing another surge in ransomware attacks, quashing hopes that cybercrime groups would spare organisations operating at the frontline of the outbreak. (In an email exchange with the website Bleeping Computer, two high profile ransomware operators had promised to attempt to avoid healthcare organisations, while acknowledging that ransomware is notoriously difficult to contain.) So what steps has the NHS taken to protect itself since WannaCry and could such an incident happen again?

There are two reasons WannaCry spread so quickly through the health service in 2017. 

Firstly, malicious code known as exploits, which were developed by the US National Security Agency to target vulnerabilities in Windows software, had been accidentally leaked, providing less sophisticated hackers, such as those working on behalf of North Korea, with the ability to develop extremely powerful malware.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy

Secondly, the NHS had been underfunding its IT provision for decades. By the time North Korea released the virus, hospitals still hadn’t updated their Windows software, meaning the databases upon which hospitals depended were exposed and quickly encrypted.

Content from our partners
The cost-of-living crisis is hitting small businesses – Liz Truss must act
How industry is key for net zero
How to ensure net zero brings good growth and green jobs

Many security experts believe the health service is better prepared to weather a similar strike today. The EternalBlue and EternalRomance exploits developed by the NSA were unusually powerful; as far as we know, another set of exploits either as dangerous or as widely accessible as the NSA’s are yet to emerge. Just as significantly for the UK, in the wake of WannaCry, the NHS has spent £159m on upgrading its operating systems to Windows 10, meaning only a small number of computers are now running versions of the software that are no longer supported with security updates when new vulnerabilities appear.

NHS trusts have also been working closely with the National Cyber Security Centre (NCSC) to improve their defences, and they appear to have made significant progress. According to data released under freedom of information laws in January, the NHS has suffered 209 successful ransomware attacks since 2014, but only six took place after WannaCry – although one in five hospitals surveyed as part of the research refused or failed to answer the question.

While an incident as widespread as the WannaCry crisis is unlikely to reoccur within the NHS in the near future, individual trusts may still be vulnerable to more targeted attacks. “Evidently, the NHS is stretched to breaking point,” Joyce Hakmeh, a research fellow at Chatham House, told the Press Association last week. “Expecting it to be on top of its cyber security during these exceptionally challenging times is unrealistic.”

In order to reduce the administrative burden, NHSX, the health service’s tech unit, has given hospital trusts an extra six months to carry out their next set of security resilience checks. “I would have been utterly shocked to hear this just a few months ago,” Jake Moore, a former cybercrime police officer who now works for the security firm ESET, told the New Statesman. But while Chatham House’s Hakmeh criticised the move, Moore said it was justified given the circumstances. NHSX said that even though they wouldn’t be assessed on the matter in the short-term, “all organisations must continue to maintain their patching regimes”.

Although the NHS’s cyber defences have been reinforced in light of the WannaCry attack, there may be another reason that the number of successful attacks on its systems has declined so rapidly. NHS Digital claimed in 2017 that the health service has never paid a ransom and a National Audit Office report into the WannaCry incident found no evidence that any of the affected trusts had paid up. Ultimately, hackers follow the money and if it dries up in one area, they move on to a different set of targets.

The NHS will hope a new package of work with the NCSC to protect hospitals, twinned with its reputation for not normally paying ransoms, will make it a less appealing target for hackers. But there is another factor that could also play to its favour; the prospect of retaliation. Some security experts believe that nation states could turn their cyber military might against gangs that take on healthcare organisations.

Whether this will all be enough to protect the NHS during the peak of the crisis remains to be seen, but the health service’s leaders will hope that, to cybercriminals considering whether or not to target the health service, the risks will seem greater than the reward.

Topics in this article: