Cyber Attack on October 30th

The request was successful.

Dear Northern Lincolnshire and Goole Hospitals NHS Foundation Trust,

My Freedom of Information Request is with regards to the virus that affected your electronic systems on Sunday October 30th 2016.

Could you please attach any documents created by the Trust in the Timeframe of 30th October 2016 – 4th November 2016 that relate to the isolation and removal of the virus. Examples would include, meeting notes taken during meetings related to the virus. Internal official Trust Wide communications during this period. Documents created that relate to Trust policies and procedures during a Cyber Attack (and any documents that were already in place regarding this). Documents that were created related to action taken in the removal of the virus (such as documents created by cyber security analysts removing the virus, and documents that were reviewed and authorised by management with relation to the handling and removal of the virus).

In addition could you answer the following questions:

1. You stated on one of the Major Incident updates on your site that you shut down the majority of your systems following expert advice.
a) Who were the experts consulted?
b) Were they internal?
c) Or did you consult with external security experts?
d) What specific actionable advice did you receive from the experts?
e) And how long after you were made aware of the virus did it take to make the decision to shut down your systems?
f) What was the name of the virus which infected the hospital?
g) How did it manifest itself?
h) How did it spread to affect the majority of systems within the hospital?
i) What did the virus do?
j) What actions were taken in order to isolate and destroy the virus?
k) Which software and tools were used to isolate and destroy the virus
l) How many staff members were involved in the actual isolation of the virus?

2. With regards to the exceptions for the cancelled planned operations, outpatient appointments and diagnostic procedures, namely Audiology, Physiological measurements, Antenatal, Community and therapy, Chemotherapy, Paediatrics, Gynaecology, Immunology, Cardiothoracic and vascular appointments with visiting consultants from Hull.
a) Were these continued using systems that weren’t affected by the virus? Or were these appointments continued without the aid of Electronic Systems?
b) What impact did this have on the hospital?
c) How did it compare to a “Business as usual” day at the hospital in terms of number of patients processed?
d) How many patients were turned away from the hospital as a result of the attack?
e) How many patients are processed on an average Sunday, and how many were processed on October 30th?
f) Same Question for Monday 31st October?
g) Same Question for Tuesday 1st November?
h) Same Question for Wednesday 2nd November?
i) When the majority of systems came back up on Thursday 3rd November was the patient flow normal back to “Business as Usual”?
j) Approximately how much has the virus cost the Trust or how much is it projected to cost? I.E. how much financial loss to the Trust can be attributed to the virus?
k) Were experts consulted throughout the duration of the Cyber Attack?
l) Were experts consulted after the Cyber Attack had been resolved?
m) If so, were these the same experts as were consulted before making the decision to take down the systems?
n) If not, who was consulted?
o) What steps were taken after the Cyber Attack to determine the policies and procedures which failed in order to allow a virus to infect the system?
p) Was it human error?
q) If so, what was the job title\role or Band of the person who caused the breach? I.E. Was it caused by someone with privileged permissions within your network, or someone with less restricted permission?
r) And what steps are being put in place to minimize the risk of this happening again?

3. Viruses can infect systems via unauthorised persons accessing a system using usernames and passwords acquired by social engineering, shoulder surfing, manual guessing, brute force etc, as I’m sure you’re aware. The National Cyber Security Centre (NCSC) regularly publishes guidance relating to Cyber Security Best Practice.
https://www.ncsc.gov.uk/guidance
a) What were your policies in place in place with regards to Cyber Security Hygiene in place at the Trust prior to Sunday October 30th 2016?
b) Have these changed in any way following (and including) the Cyber Attack at the Trust?
c) Is advice such as that above actively sought out at the Trust?
d) And if so, is it enacted upon?
e) If so, could you provide some examples of changes brought in after seeking advice from a body such as NCSC?

4. For a specific example, the National Cyber Security Centre recently published guidance regarding Simplifying You Approach to organisational Password Policies.
https://www.ncsc.gov.uk/guidance/passwor...
a) In what ways do your current policies vary from those recommended above?
b) For example the National Cyber Security Centre advises against forcing users to change their password at regular intervals. Is this advice implemented at the Trust?
c) If forced password expiry is still in place at the Trust?
d) If so, what are the justifications behind this decision?
e) If forced password expiry is not in place at your Trust, what tangible benefits have you received from this change? Lower usability costs, lower burden on users etc

Yours faithfully,
Aaron Boddy

foi (NORTHERN LINCOLNSHIRE AND GOOLE NHS FOUNDATION TRUST), Northern Lincolnshire and Goole Hospitals NHS Foundation Trust

Dear Aaron

Thank you for your Freedom of Information request below.

We will respond to you within 20 working days.

Kind regards

Anji
Anji Normanton
FOI Co-ordinator
Clinical and Quality Assurance
Northern Lincolnshire and Goole NHS Foundation Trust
Diana Princess of Wales Hospital

E:mail [email address]
Tel: 01472 874111 Ext 823099

Please note – This is a job share with Sara Lawis and my usual days of work are Mon, Tues, Thurs and Fri

show quoted sections

DAWS, Jeremy (NORTHERN LINCOLNSHIRE AND GOOLE NHS FOUNDATION TRUST), Northern Lincolnshire and Goole Hospitals NHS Foundation Trust

3 Attachments

Dear Aaron
 
Thank you for your Freedom of Information request dated 04 November 2016.
 
Please see below our response, highlighted in red in your original e-mail.
 
For reference, further information relating to the October 2016 cyber
attack at Northern Lincolnshire and Goole NHS Foundation Trust will be
made publicly available within the next seven days.
 
Regards
 
 
Jeremy Daws
Head of Quality Assurance
Northern Lincolnshire & Goole NHS Foundation Trust,
Directorate of Performance Assurance,
DPoW Tel/Fax: (01472) 874111 Ext: 7007
SGH Tel: (01724) 282282 Ext: 3535, Fax: (01724) 387819
Administration Support – Darren Bartlett, DPoW ext. 2883
e-mail: [1][email address]
[2]www.nlg.nhs.uk
This message and any attachments transmitted with it are confidential and
may be privileged. If you are not the intended recipient any reading,
printing, storage, disclosure, copying or any other action in respect of
this e-mail is prohibited and may be unlawful. If you have received this
message in error, please notify the sender immediately and then
permanently delete this e-mail, including any attachments, without copying
the message or disclosing its contents to anyone. The views or opinions
contained in this e-mail do not necessarily represent the views of
Northern Lincolnshire & Goole Hospitals NHS Foundation Trust and are not
binding on the Trust. The integrity and security of this message cannot be
guaranteed due to its transmission over the Internet.
 

show quoted sections

MAINPRIZE, Sarah (NORTHERN LINCOLNSHIRE AND GOOLE NHS FOUNDATION TRUST), Northern Lincolnshire and Goole Hospitals NHS Foundation Trust

4 Attachments

Hello, please see further information from the Trust relating to the
October cyber attack.

 

 

Regards,

Sarah

 

 

...........................................................................................

Sarah Mainprize

Head of communications and marketing

Northern Lincolnshire and Goole NHS Foundation Trust

 

01724 282282 x5562 or direct dial 01724 387739 | 07711 387286

[1][email address]

Scunthorpe General Hospital, Cliff Gardens DN15 7BH

 

[2]cid:image001.jpg@01D1E1AD.0A987350     [3]twitter[4]facebook

 

 

 

show quoted sections

References

Visible links
1. mailto:[email address]
3. http://www.twitter.com/NHSNLaG
4. http://www.facebook.com/NHSNLaG

MAINPRIZE, Sarah (NORTHERN LINCOLNSHIRE AND GOOLE NHS FOUNDATION TRUST), Northern Lincolnshire and Goole Hospitals NHS Foundation Trust

3 Attachments

Apologies, the date on the statement should read December, not November.

 

Regards,

Sarah

 

 

 

...........................................................................................

Sarah Mainprize

Head of communications and marketing

Northern Lincolnshire and Goole NHS Foundation Trust

 

01724 282282 x5562 or direct dial 01724 387739 | 07711 387286

[1][email address]

Scunthorpe General Hospital, Cliff Gardens DN15 7BH

 

[2]cid:image001.jpg@01D1E1AD.0A987350     [3]twitter[4]facebook

 

 

 

From: MAINPRIZE, Sarah (NORTHERN LINCOLNSHIRE AND GOOLE NHS FOUNDATION
TRUST)
Sent: 05 December 2016 16:44
Subject: Cyber attack statement

 

Hello, please see further information from the Trust relating to the
October cyber attack.

 

 

Regards,

Sarah

 

 

...........................................................................................

Sarah Mainprize

Head of communications and marketing

Northern Lincolnshire and Goole NHS Foundation Trust

 

01724 282282 x5562 or direct dial 01724 387739 | 07711 387286

[5][email address]

Scunthorpe General Hospital, Cliff Gardens DN15 7BH

 

[6]cid:image001.jpg@01D1E1AD.0A987350     [7]twitter[8]facebook

 

 

 

show quoted sections

References

Visible links
1. mailto:[email address]
3. http://www.twitter.com/NHSNLaG
4. http://www.facebook.com/NHSNLaG
5. mailto:[email address]
7. http://www.twitter.com/NHSNLaG
8. http://www.facebook.com/NHSNLaG

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org