Northern Lincolnshire NHS up and running again after "virus" threat

News by Rene Millman

Ransomware most likely culprit for network infection that closed down three hospitals in North Lincolnshire and affected several other affiliated institutions.


An NHS Trust has said that most of its IT systems are operational again following what it claimed was a virus outbreak.

The Northern Lincolnshire and Goole NHS Foundation Trust was forced to cancel operations at three hospitals in the region. Operations at hospitals outside the Trust were also cancelled as these shared services with the Trust.

It is just one of the latest in a long line of attacks against NHS Trusts and other medical institutions around the world.

The problems started Sunday but only got back to normal yesterday – four days after the initial infection. The Trust said that security consultants were brought in to investigate systems and rectify any problems they encountered.

In a statement to the press, the Trust said a “virus” had been detected on Sunday and IT systems were shut off to prevent further infection.

"A virus infected our electronic systems on Sunday, October 30 and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it,” said the Trust in a statement.

“Our main priority is patient safety. A major incident has been called and all planned operations, outpatient appointments and diagnostic procedures have been cancelled for today (Monday) and tomorrow (Tuesday). All patients should presume their appointment/procedure has been cancelled unless they are contacted. Those who turn up will be turned away.”

The issue led to the Trust turning away “major trauma cases" and redirecting "high risk women in labour" to neighbouring hospitals. But some hospitals operated by  United Lincolnshire Hospitals NHS Trust have also been affected by the cyber attack as the two trusts share four clinical IT systems and also had to cancel operations. contacted Northern Lincolnshire and Goole NHS Foundation Trust to find out what had happened, if the threat was from a virus or perhaps ransomware, and what they planned to do to keep operational in the event of a disaster in the future. At the time of writing, the Trust hasn't answered our questions.

Following the incident, a police investigation has been launched into the attack, according to reports from the Grimsby Telegraph.

"We are aware of the incident and are investigating it as a crime. We are working closely with the NHS Foundation Trust as enquiries continue,” DCI Vanessa Smith, of the regional cyber crime unit at West Yorkshire Police, told the newspaper.

Orlando Scott-Cowley, an independent cyber-security consultant, said that ransomware was “highly likely” in this instance.

“Given what we know about the scale of the interruption and how the networks were shared between hospitals, all the evidence points to malware that can replicate quickly across connected computers. Ransomware does this very well, and often uses open SMB shares to propagate around the network,” he said.

Scott-Cowley said it was very unlikely that police investigations would get anywhere.

“Often the malware is sent as part of a specifically targeted campaign to one organisation, but it can equally just get lucky and take out large corporate or government networks like these in a random fashion. The cyber-criminals who control the malware probably didn't expect it to be so effective in this instance, but I'm doubtful they'll get a pay day from it. Tracing the source of the outbreak to a ground zero user might be easy, but tracing the sender of the malware and securing a conviction will be much much harder,” he said.

If it was ransomware, then North Lincolnshire won't be alone in being a victim to this kind of attack: a report issued in August revealed that 47 percent of NHS Trusts in England have admitted to being victimised in this way.  

Jason Allaway, VP of UK & Ireland at RES, told SC that for the Lincolnshire and Goole NHS Foundation Trust, the backing-up of their data is the key area for reducing the downtime they experienced.

“Four days' worth of operations and appointments is a serious outage that would have caused considerable issues for patients and staff alike,” he said.

“In healthcare, built-in redundancies and backup can literally make the difference between having to halt all activity and having the capability to move forward with minimal disruption. Remember, the hackers are not obligated to hand back the unencrypted data once they have been paid, so ensuring that a backup is in place can be the difference between having to shut down or not.

“If the trust had access to an active and easily accessible back-up – not just data sitting off-site on a server – then the outage would have been significantly reduced.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews