A cyberattack on a medical service can have devastating results
A cyberattack on a medical service can have devastating results

The National Health Service's Lincolnshire and Goole trust has been crippled by a cyber-attack. Malware apparently infected networks in Scunthorpe and Grimsby on 30 October; the trust then took the decision to shut down all major systems within the shared IT network to isolate and destroy what the Trust described as a  virus.

Dr Karen Dunderdale, deputy chief executive of the trust, told press on Monday, that after the infection “we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it.”

“Inpatients will continue to be cared for and discharged as soon as they are medically fit. Major trauma cases will be diverted to neighbouring hospitals as will high risk women in labour.” She added, “While our emergency departments remain open and are accepting ambulances, we would urge people to only visit if they absolutely need to”.

As a result, operations have been cancelled in hospitals across Lincolnshire and A&E departments all over the region are expecting delays.   A release on the front page of the Trust's website says “Our main priority is patient safety. A major incident has been called and all planned operations, outpatient appointments and diagnostic procedures have been cancelled for today (Tuesday).”

At Lincoln County hospital around 20 operations have been cancelled, and 15 have been cancelled at Pilgrim county hospital in Boston according to the BBC. Laurence Roberts, medical director at the Trust told the broadcaster that accessing patient information was possible but slow.

Patients who had a scheduled operation on Tuesday November 1 have been told to presume it has been cancelled, unless they are contacted. A select number of services will continue; inpatients will continue to be looked after and patients who would be at “significant clinical risk should their treatment be delayed”, will also be treated. The trust is apparently reviewing the situation on an  hourly basis.

Few details have been released about the nature of the attack but the shutdown has affected Goole and District Hospital, Scunthorpe General Hospital and Diana, Princess of Wales Hospital.

Ed Macnair, CEO of CensorNet told SCMagazineUK.com that the “NHS is one of the most advanced in the world in terms of digitisation, which clearly has its benefits, but also increases the impact of a cyber attack. The NHS holds hugely personal information about patients and the consequences of that getting into the wrong hands could be devastating.”

Independent Security Evaluators (ISE) carried out a study into the cyber-resilience of the US healthcare industry last year, finding that security teams in the healthcare sector overemphasised protection of data and didn't focus on more advanced threats. 

Ted Harrington, an executive partner at ISE, told SC that this is merely another example of "how security in healthcare is a patient health issue, not just a data issue. When security incidents cause the shutdown of hospitals, delivery of patient care is impacted."

"Although the scope of our research was limited to the United States, and there are differences in laws and regulations between the United States and the United Kingdom, many of the underlying technical and business security challenges are the same . These challenges are the likely culprits of this incident." 

Update - 16:00 - Lincolnshire and Goole NHS Trust have announced that the cancellations will continue into Wednesday 2 October, except for a handful of departments including audiology, antenatal, chemotherapy, paediatrics, immunology and Cardiothoracic appointments among others.