Barts Health NHS Trust has responded to a recent cyber attack where files from a database containing invoices were stolen and posted on the dark web. The stolen files include names and addresses of individuals required to pay for services at the trust over a period of several years, as well as staff members who left employment owing salary sacrifice or overpayments.
According to Barts, attackers “exploited a loophole in the Oracle E-business Suite software” which has since been rectified, relating to the automation of key business processes. Whilst the theft itself occurred in August, the trust reports that “there was no indication trust data was at risk until November”, when the files were posted on the dark web, adding: “To date no information has been published on the general internet, and the risk is limited to those able to access compressed files on the encrypted dark web.”
Those potentially affected are currently being contacted to inform them about the possible risk of their personal data being compromised, with the trust advising that details could be used by criminals to lure people into sharing sensitive information or making payments.
Barts is now taking “urgent action” and seeking a High Court order to prevent the stolen details being published or shared. Work is also underway with NHS England, the National Cyber Security Centre, and the Metropolitan Police, with the trust assuring that it has reported the breach to relevant regulators including the Information Commissioner’s Office. It also highlights that EPR and clinical systems are not affected, and core IT infrastructure is secure.
“We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again,” the trust shares. Those with concerns or questions relating to the attack are encouraged to contact the trust data protection officer.
Wider trend: Cyber security
In a recent panel discussion, we were joined by experts from across the health and care sector to explore different approaches to cyber security and how to overcome the main challenges involved with making healthcare organisations more secure. We also looked at practical steps that can be taken to help with staff awareness and training, along with short-term priorities and what the future might look like. As part of the discussion, we were joined by Keltie Jamieson, the CIO at Bermuda Hospitals Board, Nasser Arif, cyber security manager at London Northwest Healthcare NHS Trust and Hillingdon Hospitals NHS Foundation Trust and Ryan Pullen, director of Stripe OLT Consulting.
Guidance from NHS England has outlined ways non-executive directors can contribute to keeping their organisation safe from cyber attack, with Jamie Saunders, non-executive chair of the NHS England Cyber Security Risk Committee, noting, “boards throughout the NHS have a key role to play in safeguarding patients from this risk.” The aim is to provide a resource to support, understand and deal with cyber security risks, and how external assessments provide insights, along with what questions to ask yourself, the board, and the questions the board should ask.
The Cyber Security and Resilience (Network and Information Systems) Bill has been published, introducing regulation for companies providing IT and cyber services to the NHS “for the first time”, including reporting duties around cyber incidents and requirements for cyber mitigation plans. Given the trusted access these companies hold to critical national infrastructure, government, and business networks, the Bill outlines clear security duties that will need to be met moving forward. “This includes reporting significant or potentially significant cyber incidents promptly to government and their customers as well as having robust plans in place to deal with the consequences,” the Department for Science, Innovation and Technology states.
