Basic Security Flaws Identified in Hospital IT Systems


A post incident investigation of a cyber security breach Grimsby’s Diana, Princess of Wales Hospital has exposed basic security flaws

Flawed passwords and weaknesses in a firewall designed to protect IT systems have been blamed for the incident at the Northern Lincolnshire and Goole NHS trust.

The crisis, considered to be the most serious cyber attack to have so far hit NHS services, severely disrupted activities at Grimsby, Scunthorpe and Goole hospitals over a period of three days.

More than 2,800 patients were affected with operations, tests and appointments cancelled and some major emergencies, including high-risk births, were diverted to neighbouring hospitals.

A criminal investigation, headed by specialist officers at the regional cyber-crime unit run by West Yorkshire Police is currently underway.

The incident has also triggered a review of lessons for NHS organisations across the country amid increasing evidence the health service is being targeted by hackers and concerns that ageing IT could leave vital services vulnerable.

Management at the NHS trust ordered the shutdown of the majority of their IT systems, including electronic patient records, after the attack by a “ransomware” virus on October 30.

A report to NHS officials in the East Riding of Yorkshire has revealed a series of weaknesses that allowed the hackers to penetrate the hospital’s IT systems. These included:

  • Passwords for key network accounts were not sufficiently complex – this made them “more vulnerable to exploitation” than those which are longer and changed more frequently
  • Accounts used by administrators, who had wide access to IT systems, were left open even when they were not being used. This particular weakness  allowed hackers to gain access to the trust’s systems
  • The firewall designed to protect systems had been configured incorrectly following testing.

The report said a number of key lessons had been learned including tighter checks on firewall security and better training for all staff around IT security.

Further work is underway by the trust and further recommendations are expected.