Computer Virus Attack Forces Hospitals To Cancel Operations, Shut Down Systems

A hospital system in the United Kingdom has canceled all planned operations and diverted major trauma cases to neighboring facilities citing a computer virus outbreak. From a report on ZDNet: The Northern Lincolnshire and Goole NHS Foundation Trust says a "major incident" has been caused by a "computer virus" which infected its electronic systems on Sunday. As a result of the attack, the hospital has taken the decision to shut down the majority of its computer networks in order to combat the virus. "A virus infected our electronic systems [on Sunday] and we have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," said Dr Karen Dunderdale, the trust's deputy chief executive. The use of a shared IT system also means the United Lincolnshire Hospitals Trust has been taken offline as staff attempt to combat the attack. As a result of the attack, all outpatient appointments and diagnostic procedures that were set to take place at the infected hospitals on Monday and Tuesday have been canceled, while medical emergencies involving major trauma and women in high-risk labor are being diverted to neighboring hospitals.

Did everyone suddenly forget....?

[cayenne8]

Did everyone suddenly forget how to use pen and paper for records?

Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?

Seriously, it wasn't that long ago that it was ALL paper records and charts....surely people can still write and notate on paper till the computer system comes up.

If not, then we all SERIOUSLY need to reconsider having only electronic records for medical treatment, or a few hackers could really kill people...literally.

Re:Did everyone suddenly forget....?

[SeaFox]

But they'd then have to issue several copies of the same records/data/requests to forward them to various departments of the hospital. People would be loathe to writing the same thing down several times, and I'm suspecting that they no longer use carbon paper. So using hand written instructions would be out of the question

If only there was some sort of machine that made a photo-perfect copy of the writing and illustrations on paper...

Re:Did everyone suddenly forget....?

[DarkOx]

Its one thing for your local Applebees to bust out the hand held check pad for the evening if the computers are down.

The worst that happens is someone screws up and few meals have to get comped, maybe some supplies don't get reordered etc. As long as they get it mostly right things will be fine.

Its different in a Hospital, mostly right is often not only not good enough but deadly. You don't want staff suddenly using a fall back procedure they have comparatively little training and practice with! If its an emergency and you have a triage situation because of a disaster that is one thing, but you would be foolish to do anything that is elective or can be safely postponed.

Re:Did everyone suddenly forget....?

[ColdWetDog]

While everyone has paper fall back systems in place, they're rarely, if ever, tested because you've then just given everyone double the work load for some period of time. Always a winner when it comes to employee satisfaction.

Also, computers are increasingly used as decision support tools. Yes, you could, theoretically, put that logic flow down on paper. In fact, that would be a useful exercise to do so you could step through everything. No, people aren't going to go do that (see above).

Especially in medicine, hospital systems are going to have to rethink their networks. It really can't be a standard Windows business-class 'works most of the time to some degree' type thing. It must be more along the line of a bank or Amazon - high availability, high security, fail over capability. You really shouldn't be able to, for example, hang around on Slashdot on the hospital network.

Oh. Wait.

Re:Did everyone suddenly forget....?

[Ungrounded+Lightning]

Did everyone suddenly forget how to use pen and paper for records?

Do they not have paper they can write on till the computer system is back up and then retroactively enter the data in?

Paper and pen records started being replaced as far back as the '60 (when my father, an administrator in a major hospital, replaced hand-copying the patients' name and medical record number onto each form - using up more of the nurses' time than actually caring for the patient - with imprinting this info using a credit-card-style hospital card and a credit-card-bill imprinter).

They take too much of the health-care professionals' time, leading to enormously increased cost, reduced and delayed treatment, and increased medical errors.

Switching back to paper and pen records and tracking, on short notice, is NOT an option. When the computers are down, as with a major disaster emergency, patient history is no longer available and treatment must be done solely on currently-visible signs and symptoms. (So most patients are offloaded to sites where the I.T. equipment is still up.)

Maybe they shouldn't be using the largest...

[mark-t]

... virus attack vector in the first place. While I realize that no OS is immune to viruses, it seems that switching to an OS that isn't as widely targeted should at least substantially reduce the likelihood they would be susceptible... and as most of the alternatives are a variant on Unix, usually have enough restrictions on what users are allowed to do that no one end-user with normal privileges can render the system unusable for anyone else.

Re:Maybe they shouldn't be using the largest...

[guruevi]

I do work in the business, we run my department completely on Mac and Linux, not only that but we have almost no proprietary software. All of our core software is open source with only a few things like certain visualization software that isn't.

The problem isn't choice, the problem is nobody cares that your hospital is a billion dollars over budget, government and insurance will pay for it. Another symptom is the "head count problem", a CIO is successful if it can reduce the amount of people working for it and as such it's liability.

The reason everything is shifting to being outsourced is liability, if a contractor or a vendor screws up, the hospital doesn't have to notify anyone and the contracting company (a glorified shell company) in worst case can just change it's name or cease operations, even better if your local laws don't apply to the contractor. Either way, nobody is held responsible or embarrassed.

Re:Maybe they shouldn't be using the largest...

[Mashiki]

Don't know what company you worked for, or who you were forced with. But I've done several big installations of new healthcare hardware and software(hospitals and dr's offices) . They all required Windows because the company that made the software, which was required to communicate with provincial offices for billing required a "common database" for communication. That's the way it was in 1999 in my first job doing it, and that's the way it was on the last healthcare job I did ~3 years ago. So depending on where you are, it can indeed be "limited choice" and you can enjoy all the fuckedupness that goes along with it.

Re:Maybe they shouldn't be using the largest...

[Voyager529]

They probably don't have a choice of OS. That is likely determined by their software vendor.

That merely shifts the blame. The software vendor was foolish for choosing that OS. Collective foolishness is still foolishness.

The problem isn't "the software vendor", it's "all the software vendors".

EMR is more frequently than not a SaaS application like PointClickCare. Have Browser, Will Travel. This is the height of "cross platform awesomeness". It's also basically the end of the highlights.

Prescription medication inventory and ordering software is a trainwreck, and even if that's ported to Linux, now you have to worry about some highly specific printers, some with MICR funcitonality, for which you'll need drivers.

Then, let's get into all the different gadgets in a hospital, from MRI machines to EKG logging to weight distribution sensors to X-ray machines to chiropractic thermal sensors to sonogram machines to things I simply haven't spent enough time in a hospital to recall. A nontrivial amount of these machines cost a solid six figures or more and require dedicated training in their use...and all have a highly vertical software stack that even flows into downstream situations (doctors don't exactly get 3D MRI scans in PDF formats...), and yes, there's frequently DRM involved.

There's also the billing office, which is the kind of place where drop-in replacement for the existing billing software *and* near-infinite accessibility of archived data is going to be a requirement. I wouldn't be surprised if more than a handful of hospitals are either still directly using an AS/400, or a frontend for one. To be fair, this is one place where a number of EMR vendors as well as separate cloud vendors have products, but incumbent data is going to be a major problem.

Remember how I said it wasn't "the vendor"? I wasn't kidding - it's *all the vendors*. If a hospital is going to switch to Linux, everything above has to be compatible. Tell a hospital they need to replace their three year old, $4 million MRI machine because it's not Linux compatible, and see how far that gets you. Conversely, the software developers who write the custom software to run that MRI machine aren't going to reinvent the wheel because one hospital says "pretty please", and even if half of those vendors *did* revamp their software for Linux *and* they managed to avoid situations like one company only supporting Red Hat while another company only supports Ubuntu...you'll still need to have Windows around for the other half.

Ultimately, it's a chicken-and-egg problem, because it requires far too much cooperation from far too many people at once to write some highly expensive software for a niche within a niche. Don't get me wrong, if Mark Shuttleworth wants to spend a billion or two to target a specific hospital and cover the bill to bootstrap the development of a fully HIPPA compliant Ubuntu software stack and ensure that there isn't a device, application, or workflow in that hospital that would require Windows, I'd be beyond thrilled. However, I'm not holding my breath on that.

Re:Maybe they shouldn't be using the largest...

Medical imaging uses a networking standard called Dicom. Some equipment are running Windows, other Linux, some review stations Mac Os, etc...

Re:Maybe they shouldn't be using the largest...

[houghi]

Reminds me of when the "I Love Virus" hit our company and the rest of the world. Our IT department decided to close down the company. Meaning everybody, except IT staff had to leave the building and go home.
What I did was launch the dualboot BeOS and others their Linux as we got a LOT of request from other companies regarding the virus.
It took us all of 2 minutes to be operational again in some sort.

We did the same when the authentication server went down and IT tried to blame it on the routers.

So having more than 1 point of failure is somehow interesting.

Let it be noted that my boss then told us that he had not seen us using any other OS besides Windows and that we should not mention it to him if we did and that he would understand if we forgot to tell him during these type of days. I have the slight impression that he knew and was just covering his ass, while protecting us. Just a hunch.

Major incident caused by a "computer virus"

[khz6955]

What was the name of this "computer virus" and what was the name of the Operating System platform?

Re:Major incident caused by a "computer virus"

[leathered]

From what I've heard it's a ransomware variant. The NHS is virtually all-Microsoft.

I currently work in IT for an NHS trust. We've had several incidents involving ransomware encrypting files on shares but they've been contained and easily dealt with because 1) we have a highly granular file structure, users only have write access to shares and folders that is absolutely necessary and access is regularly audited. 2) a snapshotting file system which makes it a lot easier to recover files than restoring from tape. 3) by identifying the ownership of the encrypted files we can nail the culprit quickly and remove their access immediately to prevent further damage.

Anti Virus has proven to be useless, the people who write this stuff are always one step ahead of the AV vendors.

IT Admin wanted...

[dfsmith]

They're currently posting an ad for an IT Admin (asset mgmt) at UKP 17k (~$20k/yr). Great advertising... any takers? http://jobs.nlg.nhs.uk/job/UK/...

Do all network based systems need the Internet?

[Streetlight]

I'm assuming the virus got into the hospital's record keeping data system through an Internet connection. This makes me wonder if every system in the hospital is connected to the public Internet, including life support systems such as ventilators, heart monitors, etc., and and other devices such as robotic surgery machines, analytical laboratory equipment, x-ray data analysis computers, and more. Every data storage and manipulation device does not need to be on the general public Internet. Imagine if a county's ICBM launch systems were connected to the public Internet. The mind boggles. Even if these many systems were not on the Internet, a black hat with access to a significant collection of important networked computers can still do damage. The Stuxnet compromise of the Iranian uranium enrichment centrifuges is a perfect example.

Re:Betcha they still run Windows XP

[BlueStrat]

Tell me, which state are Lincolnshire and Goole in?

Mostly solid, with some liquid and gaseous thrown in.

Oh, and confusion and frustration as well.

Such a sad state.

Strat

Re:Black hat hackers kill

[guruevi]

Some people are criminals, what else is new? If only people weren't thieves, I wouldn't need locks on my door. Computer virus propagation on corporate networks is simple negligence, there is no reason after nearly 40 years of viruses that an entire system can be brought down with a simple criminal act.

This is similar to someone cuttting the power or water supply to a hospital and for some reason we have thought about and funded all THOSE failure modes but lo and behold the magic computing devices, they have never been able to operate without a complicated desktop windowing system, a system that directly connects all of them to a bidirectional sewage system AND a skeleton key the entire world owns.

Computer virus? Or Windows virus?

[troublemaker_23]

Why does ZDNet always hide the fact that Windows is the operating system involved when viruses, worms, malware, scumware, ransomware etc are involved?

Re:Betcha they still run Windows XP

[hoofie]

This is the UK. No patients are billed excepting for the occasional private room one and ambulance chasers for medical cases are very rare in the UK purely because even if they do win [Medical Negligence is not easy to prove in the UK and cases are dealt with by a judge only] the payout does not result in a huge legal payday. Speculative lawsuits in the UK are a non-starter.