World-leading heart hospital 'very, very lucky' to dodge ransomware hit

Papworth's timely backups saved the day

World-leading Papworth Hospital has escaped a full-on zero-day crypto ransomware attack thanks to the "very, very lucky" timing of its daily backup.

It's believed that an on-duty nurse at the heart and lung hospital in Cambridgeshire, UK, unwittingly clicked on something in an infected email, activating the attack at about 11pm on a Saturday night a few months back.

But the malware did not start encrypting files until after midnight – just after the daily backup had completed, ICT director Jane Berezynskyj has said.

The NHS foundation trust had made recovery plans and recruited experienced staff following earlier attacks, but Berezynskyj said: "We were also very, very lucky. Timing absolutely was everything for us."

Papworth has since moved to hourly incremental backups, using mixed media including tape, given that some attacks target digital backups.

Berezynskyj, speaking at the EHI Live healthcare conference in Birmingham this week, said Papworth was hit by a new variant of crypto software for which there was no remedial software.

"We've got some fairly ancient application architecture so we've got some file-shares, and actually that's what happened to us – a crypto attack went through our file-shares and encrypted the data."

"Thank God for that full backup, then," she added.

"We're pretty certain that when we suffered our ransomware attack, the user concerned navigated away from that screen that said: 'This is a ransomware attack, please pay X amount in bitcoins'," Berezynskyj said, but the person never reported what happened. "One of our key weaknesses is our people and user behaviour," she added, despite a programme of staff education and communication.

The trust's four-person IT team worked from 1am to 9pm on the Sunday, with further work with suppliers on Monday and Tuesday, to recover its systems.

Papworth had not budgeted for such an attack, although Berezynskyj said she had been able to absorb its cost within existing budgets. It did not hit clinical care, but this again was down to timing. "We don't do Sunday operations, so it didn’t affect operating theatres," she said. "If we'd been doing a heart operation on a Sunday, it would have been a huge problem."

Berezynskyj added that she is trying to persuade the trust's financial director to include provision for attack recovery. "It's not if, it's when it's going to happen," she said. "But that dialogue is still evolving, because finance people only like to plan for what's actually going to happen, and I can’t give cast-iron guarantees."

She mentioned research suggesting that each cyber-attack in healthcare costs £80,672-£161,345 (€90,000-€180,000).

Papworth is famous as the centre for the UK's first successful heart transplant in 1979.

Speaking at the same session, Lydia Kostopoulos, a principal consultant for PA Consulting, said an experiment she ran sending benign phishing emails to staff at US hospitals found they were most likely to be clicked on between 11pm and 5am, particularly by nurses on graveyard shifts.

Meanwhile, Northern Lincolnshire and Goole NHS foundation trust is right now recovering from a major incident following a cyber-attack which led it to cancel operations.

A spokesperson for the Goole NHS foundation trust told us today: "There is an ongoing investigation between the Trust, NHS Digital and the police, and while it continues we are not in a position to issue any further information. The Trust’s services are now running as normal." ®

Broader topics

Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head engineer weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022