British hospital investigating impact of ‘contained’ cyber incident

The Walsall Healthcare NHS Trust, which runs Walsall Manor Hospital, said that it has been impacted by a “contained” cyber incident.

IT staff for the Trust began responding to the incident two weeks ago on March 10, although it was only disclosed on Thursday by the local Express and Star newspaper.

In a statement to the newspaper Rich Pearson, the organization’s CISO, said: “The trust is currently dealing with the aftermath of a cyber incident, which was contained.”

The Walsall Trust has around 4,400 staff and provides healthcare services to roughly 260,000 people in the region north of Birmingham.

The nature of the cyberattack has not been confirmed, although the hospital said it was working with both the U.K.’s National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data protection regulator.

It follows the British government publishing on Wednesday its new cybersecurity strategy for the National Health Service, which stated: “The most significant cyber threat the sector faces is ransomware.”

A number of hospitals in Europe and the United States have suffered cyberattacks in recent weeks, including hospitals in the cities of Brussels and Brest, Barcelona, and Tallahassee, Florida.

Although there is no direct evidence that a cyberattack on a hospital has caused loss of life, research by the U.S. Cybersecurity and Infrastructure Security Agency — as cited in the NHS cybersecurity strategy — “showed that US hospitals that had suffered a ransomware attack were more likely to suffer worse health outcomes, including increased mortality.”

Pearson said the Trust’s IT team “has been working hard since we were alerted to the threat, and we are working closely with the National Cyber Security Centre to understand the full extent and impact of what has happened.”

He added:” Until the investigation is concluded, we would encourage people to remain vigilant around any suspicious activity. We will provide further information as soon as we are able to."

A spokesperson for the ICO confirmed that Walsall Healthcare NHS Trust has informed the regulator about an incident, and warned that medical data was “highly sensitive information” which organizations had a legal responsibility to handle carefully and securely.

"When a data incident occurs, we would expect an organization to consider whether it is appropriate to contact those affected, and to consider whether there are steps that can be taken to protect them from any potential adverse effects,” the spokesperson added.