Critical Cyber-Attack on Hospitals Now A Reality- A View From ‘Across the Pond’

Robinson+Cole Data Privacy + Security Insider
Contact

[co-authors: Stuart Knowles, Duncan Astill - Mills & Reeve LLP.]

Serious trouble for all health and care providers looms large.

High risk women in labour and major trauma cases are being diverted to other hospitals after a cyber-attack recently shut down services at a hospital in the East of England, Northern Lincolnshire and Goole Hospitals NHS Foundation Trust.

Putting aside why anyone would want to put people’s lives at risk (would you pay a ransom demand), the Trust’s three main hospitals have suffered a near total shutdown of vital IT systems.

Information is the life-blood of the health sector and the seriousness of this event and a likely re-occurrence cannot be underestimated.

This comes following the UK Government announced its cyber defence initiative. It is scary stuff and it will affect all of us – as organisations and vulnerable individuals.

The UK National Health Service (NHS) is already doing a lot of work on the problem. NHS Digital previously the Health and Social Care Information Centre, has warned that, despite some improvements, boards of most health and care organisations still do not have this on their agenda.

We are aware of serious attacks on health providers outside the UK in recent months which have led to ransom demands where computers were infected by ransomware – a malicious piece of software which locks up systems until a ransom is  paid to get them unblocked (ransomware). There have been other serious attacks on health and care providers in the UK but this latest is one of the most serious and high profile –  as far as we are aware – and should be seen as a portent of things to come. It is less than two weeks since (it is alleged) the Russians attacked major IT systems in the UK and elsewhere shutting down Twitter and a whole lot more – websites and services both large and small.

What’s next?

Attacks will get bigger and more sophisticated. The threat to patient safety is real and universal. Imagine if the emergency department or an ambulance trust was suddenly infected. Chaos would ensue and lives put at real and immediate risk. Cyber-attack may have no warning.

A failure to plan, to protect your systems and to manage a crisis properly will lead to serious consequences. Quite apart from the threat to patient safety and the career limiting consequences for managers that would arise from death, you would have to deal with a mix (or all) of the following:

  • Criminal investigations
  • Potential manslaughter / corporate manslaughter
  • Health and safety
  • Regulatory investigation
  • Claims for civil liability
  • Inquests
  • Reputational damage and serious loss of business
  • Crisis management

Without doubt, board members of every health and care organisations must have assurance on the enforcement of the strictest technical safeguards and personal responsibility. Demonstrable compliance is not optional. Vulnerability assessments and penetration tests (hacking with consent) are a ‘no-brainer’.

NHS Digital has a cyber security programme which provides a valuable resource designed to help health and care organisations improve local cyber security.

The recent review of Data Security, Consent and Opt Outs by the UK National Data Guardian, Dame Fiona Caldicott sets out ten clear standards organisations should follow to increase data security.

For more information on risks and liability you can read our briefing for the UK health and care sector: Criminal liability in health and social care settings – the changing landscape.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.