Merseyside residents are facing a third day of significant disruption to healthcare services in the area, following a major cyber attack on Wirral University Teaching Hospitals NHS Foundation Trust.
The cyber attack, which initially came to light on Monday 25 November, is believed to have affected all clinical activity at multiple sites including Arrowe Park and Clatterbridge Hospitals. The Trust has been forced to cancel surgical procedures and turn away outpatients, although emergency care remains up and running.
In the wake of the attack, staff members told The Liverpool Echo they had been locked out of their IT systems and were unable to access patient records, leaving them forced to resort to manual procedures. Based on what is known of the nature of the incident, it appears to resemble a ransomware attack.
In a statement published on Tuesday 26 November, a spokesperson for the Trust said: “A major incident was declared at the Trust … for cyber security reasons and the incident remains ongoing.
“We are working to rectify the issue and our business continuity processes are in place,” they added. “Our priority remains ensuring patient safety. Some outpatient appointments scheduled today and tomorrow are cancelled. Where appointments have been cancelled, we have contacted patients directly. We apologise for any inconvenience and we will contact our patients as soon as possible to rearrange.
“Maternity services are running as normal. All antenatal appointments, community midwife appointments, scans and post-natal visits are continuing as usual. Please still attend maternity appointments unless contacted otherwise. The 24-hour emergency triage service is running as normal.
“We urge all members of the public to attend the Emergency Department only for genuine emergencies,” the spokesperson said. “For non-urgent health concerns, please use NHS 111, visit a walk-in centre, urgent treatment centre, your GP, or pharmacist.”
The National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have both been informed of the attack, but as is usual in the wake of such an incident, the Trust has not released any additional details.
“Most cyber attacks cause frustration and financial disruption, but when hospitals are involved, genuine health issues can be affected, making this type of attack that much more sinister,” said Jake Moore, global cyber security advisor at ESET.
“Hospitals, councils and other local government agencies continue to lack funding and consequently do not have the strongest network protection. They may even still rely on legacy software. This in turn makes them an easy target for those looking to exploit any weaknesses.
“The government needs no extra proof that our local agencies need further resources as these types of attacks are not showing any signs of slowing down,” he added.
Calculated and intentional
Assuming Wirral University Trust has fallen victim to ransomware, such attacks on healthcare services are generally calculated, intentional intrusions because threat actors know such organisations are more likely to pay them off.
Indeed, according to a July 2024 survey conducted by identity specialist Semperis, 66% of global healthcare organisations had paid a ransom, perhaps unsurprising given that maintaining their services is a critical endeavour.
Semperis area vice-president for EMEA west Dan Lattimer said: “It’s imperative for hospitals to conduct day-to-day operations assuming breaches will occur. Overall, ransomware attacks cause disruptions and cast doubt, cut into profits, and in some cases can be a matter of life and death. Preparing now for inevitable disruptions will dramatically improve hospitals’ operational resiliency and better prepare them to turn away adversaries, leading the threat actors to softer targets downstream.”
He said there was no one silver bullet to solve the cyber challenges facing hospitals, but that best practice was to first identify critical single points of failure for the organisation and develop an incident response plan, keeping in mind that in the vast majority of ransomware attacks, cyber criminals will target their identity systems to access the most vital data.
“In the case of hospitals, [this] is patient data and other forms of proprietary information,” said Lattimer. “So have a plan to increase the operational resiliency of Active Directory and back it up so that if a cyber attack occurs, it can be restored quickly.”