The last major cyber attack to widely affect the NHS was the Wannacry ransomware outbreak in 2017. It spread across more than 80 NHS trusts (of 236 trusts at the time) within a few hours on the morning of 12 May. A further 595 GP practices and 603 other NHS organisations were also affected. At an estimated cost to the NHS of £92m, and disruption to 19,000 patient appointments, Wannacry made a huge impact on healthcare services in the UK and other countries.
With attention rightly focused on the Covid situation, succumbing to a further attack would waste valuable resources required for the recovery efforts. That said, criminals never sleep and, towards the end of 2020, national cyber security agencies around the world plus NHS Digital began to warn of increased criminal activities targeting schools, government facilities and hospitals.
What we can do
There are many tips for staying safe from a cyber attack but specifically for radiology departments:
- Be careful when opening emails, including work emails and those via NHS.net services. Stop and think before opening attachments – you may be targeted with very specific attachments. Some sites dedicate PCs or workstations for the opening of emails and browsing the web – avoid using crucial ‘clinical’ PCs for this purpose if at all possible.
- Never browse the internet or open external files on a modality. Be aware that modalities do, by necessity, run older operating systems (sometimes still Windows XP) and are far more vulnerable to exploits already in the public domain than, for example, domestic PCs with their weekly updates installed. Anti-virus software is also sometimes disabled, again by necessity, on modalities.
- Be aware of what websites you are visiting on hospital computers. There is sometimes a delay in applying security patches and updates to hospital machines, and also in general commercial settings, due to the need to run extensive compatibility testing with all other applications and services that need to be run normally.
- If you use external or portable hard drives, perhaps for teaching purposes, be careful they do not turn into a conduit for bringing in malicious software from your domestic appliances.
- Never plug a personal mobile telephone into a PC USB socket to charge. Use a correct USB charging device instead or a ‘USB power condom’ device (this is the correct term for the product), which may be available from your trust’s IT department if charging is a permitted activity.
- Vigilance is always the option of least effort. ‘Something’s happening’ The first action after identifying that something strange, unexpected or alarming is happening with one or more machines in your department is to isolate and prevent collateral damage. Cyber attacks happen rapidly (Wannacry took over swathes of radiology resources in under 15 minutes as it spread on the local networks, freely in many cases). Prompt action by local staff in the area is therefore required, and this swift action aids the PACS teams and IT departments in their later efforts in containment, damage assessment and recovery. Emergency first responses by radiographers when noticing an outbreak in their area (in the absence of a specific local trust plan or instructions to the contrary):
- Physically disconnect CT scanners, MRI, NM, ultrasound machines and digital radiograph modalities from the hospital network by unplugging the network cable from the wall jack. Anyone can do this. In almost all cases, the machines can still be used to acquire images and only transfers to PACS, worklist updates, etc will stop. Imaging can be reviewed on the modality until the situation is contained. Monitor the modality to be sure it has not been affected by malicious software. If malicious software looks to be operating, or the device acts slowly or abnormally, stop using it immediately. Safely extricate any patients from enclosed machinery – this being particularly important in therapy settings.
- Although extremely unlikely, it would not be impossible to have a malicious program operate a CT scanner or therapy system at parameters that were not those selected by or shown to the operator (exactly this type of malicious behaviour was used in the Stuxnet computer worm that targeted nuclear facilities in Indonesia, India and Iran up to 2010). This type of cyber attack could have long-term damaging effects on patients if not noticed.
- Mobile devices should have their wireless network connections disabled. If this is tricky to do, power down the machine and allow your PACS team to perform the task. Again, powering off the device before infection allows for the machine to stay ‘clean’.
- Immediately inform your IT department, PACS team and lead of the radiology department. They may need to take rapid action to shut down the affected network or order the disconnection of all remaining machines in areas that are not currently affected but are likely to be.
Tips for PACS teams
Keep a disaster plan and kit available. PACS teams will usually like to keep a set of equipment that enables them to create ‘miniature networks’ that are isolated from the main hospital network in critical areas such as A&E DR rooms, hot reporting and the main CT suite. These are primarily to cope with general severe network failures but they serve the same purpose in the event of a cyber attack.
- Create and test manual entry and ‘match-up’ processes (a way of working without network connections).
- Ensure a stock of CDs and paper is available to carry on operations if disrupted for a few days (some hospitals took several weeks to recover their network operations after Wannacry).
- Practise the sequence of cyber infections in conjunction with local IT departments by deploying a simulated attack on the radiology infrastructure.
- Remember that email communications are completely ineffective during a cyber attack. Digital phone or pager systems may also be affected if they use server-based technologies. Have a communications plan for cyber attacks based on departmental intercoms (tannoys), walkie- talkies or area ‘stewards’ (nominated staff wearing tabards and physically walking around to deliver updates and collect status information to and from each department lead).
- Consider your backup situation for PACS, RIS, rendered cases, teaching files and departmental documents, etc.