Warning of more cyber-attack cases as people return to work after weekend

The full scale of the international cyber attack that continues to disrupt the NHS may only become apparent when people return to work on Monday, experts have warned.

More than 200,000 victims in around 150 countries have been infected by the ransomware which originated in the UK and Spain on Friday before spreading globally.

Ciaran Martin, chief executive of the National Cyber Security Centre, said the outbreak could continue to infect more systems and other victims may emerge.

"On Monday morning at the start of the new working week it's likely that successful attacks from Friday that haven't yet become apparent will become apparent," he told the Press Association.

"And also existing known infections can spread, we can't say what scale the new cases will occur at but it's likely there will be some."

It is not known how the attack has affected GP surgeries, which are due to open as usual on Monday.

An NHS England spokesman described it is a "very complex emerging picture".

People are advised to attend any hospital or doctor appointments as normal, unless they are contacted and told not to.

Professor Helen Stokes-Lampard of the Royal College of General Practitioners said many GPs went into their practices on Sunday to reboot their computers and install updates.

"GPs, of course, can still diagnose and treat patients without using computers but we ask our patients to bear with us if routine services such as repeat prescriptions and appointment booking services are slightly disrupted this week," she said.

"In the meantime, we wish to reassure patients that your GP will be there for you as usual if you are taken ill and that you will receive the best possible care from the NHS, despite the current difficulties."

Around a fifth of NHS trusts were hit in the attack, forcing them to postpone operations and procedures over the weekend.

Seven hospitals remained on A&E divert on Sunday afternoon, with ambulances taking emergency patients elsewhere, NHS England said.

Dr Anne Rainsberry, NHS incident director, said: "We have been working with 47 organisations providing urgent and emergency care who have been infected to varying degrees.

"Most have found ways of working around this but seven, including St Barts in London, have asked for extra support."

It comes amid concerns networks were left vulnerable because they were still using outdated Windows XP software.

Brad Smith, Microsoft president and chief legal officer, described what happened as a "powerful reminder" of the importance of updating software.

"The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect," he said in a blog post.

"As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems.

"Otherwise they're literally fighting the problems of the present with tools from the past."

Medical staff reported seeing computers go down "one by one" as the Wanna Decryptor ransomware, also known as WannaCry, took hold, locking machines and demanding money to release the data.

The apparent chink in the NHS's defences led to criticism of the Government, with the Liberal Democrats demanding an inquiry.

Labour's shadow health secretary, Jonathan Ashworth, in a letter to Health Secretary Jeremy Hunt, said concerns were repeatedly flagged about outdated computer systems.

Investigators from around the globe, including the National Crime Agency, are working to hunt down those responsible for the virus.

A British cyber whiz was hailed an "accidental hero" after he registered a domain name that unexpectedly stopped the spread of the virus.

The anonymous specialist, known only as MalwareTech, issued a warning that hackers could upgrade the virus to remove the kill switch.

Among those affected by the virus was Nissan, but the car manufacturer said there had been no major impact.

A spokesman said it was "business as usual" for the Sunday night production shift at the plant in Sunderland.

Speaking on BBC Radio 4's Today programme, Mr Ashworth accused the Government of "raiding" NHS capital budgets to fund day-to-day spending.

"Infrastructure budgets have been raided, have been cut back, which has meant hospital trusts have not been able to spend the money on upgrading their IT systems," he said.

However, security minister Ben Wallace blamed changes under the last Labour government to stop contracting across the NHS with Microsoft, instead leaving IT up to individual trusts.

Mr Wallace said the attack had been "very potent" and had spread very quickly, adding: "It's not about a billion pounds in this infrastructure or that infrastructure."

York Teaching Hospital NHS Foundation Trust, which was hit by the attack on Friday, said some out-patient appointments had been cancelled on Monday – especially at Selby War Memorial Hospital – but most were not affected.

The trust said bone scan appoints had been cancelled in Scarborough and in Selby: “All outpatient appointments are cancelled except blood-taking and MSK physiotherapy.”

But it said in a statement: “All outpatient clinics at York Hospital, Malton Hospital, Bridlington Hospital are going ahead.

“Planned operations are also going ahead as scheduled.”
The statement added: “The situation will be reviewed daily and information will be shared regarding any cancellations to appointments and services later in the week.

“There will be some delays to our services as we recover from the effects of the cyber attack, and we ask for people’s patience and understanding as we work to fully restore our systems.

“We will ensure that we re-schedule any cancelled appointments as soon as possible.”

Staff at the trust volunteered to work over the weekend to repair the main computer system and individual computers, prioritising in-patient wards.

It was reported that 2,000 of the trust’s 6,000 computers were infected as well as the central system.

York trust chief executive Patrick Crowley told BBC Breakfast: “Once the situation unfolded it became clear it was almost engulfing the organisation. At the last count, we had 2,000 of our 6,000 PCs out of action and, clearly, that’s quite disabling for clinical services.

“Over the weekend, we’ve been working round-the-clock to get PCs back online and I’m pleased to say over half of them are back and recommissioned.”

Mr Crowley said: “All our services are pretty much back as normal.”

He asked people to be patient, saying: “Things may run a little bit slower.”

As some services are reliant to a degree on paper, Mr Crowley asked for “a little bit of patience, a little bit of understanding and a lot of appreciation for a huge army of staff who’ve done so well to get these services back online”.

Security minister Ben Wallace said the NHS had followed some “pretty good procedures” in combating the cyber attack, with technical staff restoring data and replacing security patches over the weekend at trusts across the country

He told BBC Breakfast the Government had put £1.2 billion into combating cyber attacks during the last strategic defence and security review, including a £50 million pot to support NHS IT networks.

And he defended the Government after a National Audit Office report in November warned that taking money away from NHS services would leave them vulnerable.

He insisted individual trusts have enough money to protect themselves against cyber attacks, saying: “After the NAO report and indeed at numerous occasions after there are incidents, whether there are cyber attacks, small or large around the world, we pass on information to the trusts.

“We make sure the trusts are aware of their vulnerabilities and ask them to make sure they keep themselves up to date. What we don’t do in our NHS is micromanage it from the desk.”

Mr Wallace said it was a “red herring” to focus solely on the Windows XP operating system as being vulnerable, saying the virus had also attacked both Windows 7 and 8.1.

The “real key” was whether trusts had regularly backed up data and whether they were installing security patches.

He said: “Some security patches were issued by Microsoft back in March and some trusts absolutely clearly loaded those up to protect themselves. Of course, after this we have got to ask ourselves why was it not uniform.”

Mr Wallace also suggested there had been no statement over the weekend from Health Secretary Jeremy Hunt – despite him attending a meeting of the Government’s emergency Cobra committee on Saturday – because it had been a “criminal attack on an organ of the state”, with the Home Office taking over in matters of “defence of the realm”.

Arriving in Brussels for a meeting of EU foreign ministers, Foreign Secretary Boris Johnson said: “Cyber-security is a huge issue for all of us in all our countries.

“It’s not specifically on the agenda today, but a huge amount of work goes on between the UK Government and all our friends and partners around Europe, and indeed in the United States, where they are now stepping up their precautions against cyber attacks of these kinds.”

The Southport and Ormskirk Hospital NHS Trust said patient safety is being “maintained” but difficulties are continuing.
Patients scheduled to have operations today have been asked not to attend hospital unless they have been contacted directly.

All outpatients and endoscopy appointments and routine MRI and CT scans scheduled for today have also been cancelled.
Patients have been contacted directly if they need to attend, the trust said.

Patients needing dialysis have been told to attend as usual and the pregnancy assessment unit and all antenatal clinics will be open as usual.

A statement from the Trust added: “We would like to thank all staff within the Trust and colleagues at partner organisations across the region for their continued support.”

However The Royal Liverpool and Broadgreen University Hospitals Trust reported their IT system had not been attacked and was operating normally.

Likewise the Pennine Acute Hospitals NHS Trust, which runs hospitals in Manchester, Oldham and Rochdale, said they had not been affected by the attack but had taken precautionary measures to protect their IT systems.

Yui Mok/PA Wire


Get our latest features in your inbox

Join our community of business leaders