World-leading Papworth Hospital has escaped a full-on zero-day crypto ransomware attack thanks to the "very, very lucky" timing of its daily backup.
It's believed that an on-duty nurse at the heart and lung hospital in Cambridgeshire, UK, unwittingly clicked on something in an infected email, activating the attack at about 11pm on a Saturday night a few months back.
But the malware did not start encrypting files until after midnight – just after the daily backup had completed, ICT director Jane Berezynskyj has said.
The NHS foundation trust had made recovery plans and recruited experienced staff following earlier attacks, but Berezynskyj said: "We were also very, very lucky. Timing absolutely was everything for us."
Papworth has since moved to hourly incremental backups, using mixed media including tape, given that some attacks target digital backups.
Berezynskyj, speaking at the EHI Live healthcare conference in Birmingham this week, said Papworth was hit by a new variant of crypto software for which there was no remedial software.
"We've got some fairly ancient application architecture so we've got some file-shares, and actually that's what happened to us – a crypto attack went through our file-shares and encrypted the data."
"Thank God for that full backup, then," she added.
"We're pretty certain that when we suffered our ransomware attack, the user concerned navigated away from that screen that said: 'This is a ransomware attack, please pay X amount in bitcoins'," Berezynskyj said, but the person never reported what happened. "One of our key weaknesses is our people and user behaviour," she added, despite a programme of staff education and communication.
The trust's four-person IT team worked from 1am to 9pm on the Sunday, with further work with suppliers on Monday and Tuesday, to recover its systems.
Papworth had not budgeted for such an attack, although Berezynskyj said she had been able to absorb its cost within existing budgets. It did not hit clinical care, but this again was down to timing. "We don't do Sunday operations, so it didn’t affect operating theatres," she said. "If we'd been doing a heart operation on a Sunday, it would have been a huge problem."
Berezynskyj added that she is trying to persuade the trust's financial director to include provision for attack recovery. "It's not if, it's when it's going to happen," she said. "But that dialogue is still evolving, because finance people only like to plan for what's actually going to happen, and I can’t give cast-iron guarantees."
She mentioned research suggesting that each cyber-attack in healthcare costs £80,672-£161,345 (€90,000-€180,000).
Papworth is famous as the centre for the UK's first successful heart transplant in 1979.
Speaking at the same session, Lydia Kostopoulos, a principal consultant for PA Consulting, said an experiment she ran sending benign phishing emails to staff at US hospitals found they were most likely to be clicked on between 11pm and 5am, particularly by nurses on graveyard shifts.
Meanwhile, Northern Lincolnshire and Goole NHS foundation trust is right now recovering from a major incident following a cyber-attack which led it to cancel operations.
A spokesperson for the Goole NHS foundation trust told us today: "There is an ongoing investigation between the Trust, NHS Digital and the police, and while it continues we are not in a position to issue any further information. The Trust’s services are now running as normal." ®