Official UK records confirm cyberattacks put NHS patients at risk of clinical harm

Two cyberattacks affecting Britain’s National Health Service (NHS) last year put patients at risk of clinical harm, according to official data obtained by Recorded Future News.

The data, recorded by the government under the Network and Information Systems (NIS) Regulations and obtained under the Freedom of Information Act, does not identify specific incidents but highlights the growing threat that financially motivated cyber incidents pose to public safety.

It follows the head of the National Cyber Security Centre, Richard Horne, telling cybersecurity practitioners earlier this month that their work was “not just about protecting systems, it’s about protecting our people, our economy, our society, from harm.”

One of the two incidents is likely to be the ransomware attack on pathology services provider Synnovis, which severely disrupted care at a large number of National Health Service (NHS) hospitals and care providers in London by delaying and cancelling operations and appointments. 

Criminals similarly disrupted care in an attack on Wirral University Teaching Hospital NHS Foundation Trust, causing delays to cancer treatments as reported by The Register.

The government data records no incidents that led to excess fatalities or excess casualties, the two highest categories for NIS incidents.  Two incidents, however, passed the threshold of the third category of causing potential clinical harm to more than 50 patients, with clinical harm defined as harm resulting from medical care or the lack of it.

Patient safety concerns in England and Wales, potentially including concerns resulting from cyberattacks, are investigated by the Health Services Safety Investigations Body (HSSIB) which is an independent part of the Department of Health and Social Care.

HSSIB’s chief executive Dr. Rosie Benneyworth told Recorded Future News that while the board hadn’t “carried out specific investigation work examining the impact of cyberattacks […] as expert independent investigators, we understand the impact of emerging risks, and we can see that there is potential with a cyber attack to make patient safety incidents more likely.”

In particular, Benneyworth highlighted the risks around “the availability of Electronic Patient Records, sharing of vital data between organisations and visibility of laboratory or radiology results – people who may be seriously ill could be affected by a delay in treatment or diagnoses.”

A ransomware attack on IT service provider Advanced back in 2022 left medical staff using pens and paper to treat patients as electronic patient records were unavailable. Britain’s privacy regulator fined Advanced £3.1 million earlier this year for its failure to adequately protect people’s data, although there are currently no laws governing how such companies continue to provide critical services during the case of an attack.

The British government has pledged to update the NIS Regulations to also include software companies such as Advanced with its new Cyber Security and Resilience Bill to be introduced to Parliament later this year. Last week, senior NHS officials sent letters to their suppliers asking them to help tackle the “endemic” threat of ransomware attacks following a series of disruptive incidents.

“Cyberattacks also create huge operational challenges for healthcare providers and with this could come more demands on services and staff — increasing fatigue and stretching resources thinly. All of this has huge potential for harm to patients to occur,” added Benneyworth.

“Our view is that it is important for systems and providers to have robust business continuity plans to mitigate risks in the event of an attack. We have been carrying out work examining safety management systems which help support a proactive approach to safety in healthcare,” said the HSSIB chief.

“These frameworks and principles would help to also manage patient safety in the event of an attack. HSSIB has regular and on-going engagement with the Joint Cyber Unit and are keen to explore opportunities to work together to consider the impact on patient safety in more detail.”

A Department of Health and Social Care spokesperson said: “National security is one of the key foundations of this government and we are reinforcing cyber resilience across health and social care to protect patients. Our ambitious Cyber Security and Resilience Bill will help organisations, including the NHS, respond to evolving cyber threats and strengthen our critical supply chains ensuring essential digital services are protected."