TEL AVIV—Dr. Tony Bleetman wears several hats, splitting his time as an emergency physician in London and Tel Aviv. He’ll tell you right off the bat that he’s no expert in cybersecurity. But he’s had an experience that few hackers can claim: He was on the front lines of the WannaCry outbreak, where the ransomware directly affected the treatment of hospital patients.
Dr. Bleetman, a senior clinician in an emergency room on May 12, 2017, when the ransomware struck down computers around the world, had just started his noon shift at East London’s Newham University Hospital ER, when he and other medical staff members noticed that the computers were no longer properly working.
“Computer screens had gone blank. Messages had come up demanding [a] ransom for their computers to be switched on again. It became apparent within 15 to 20 minutes that there was a very significant cyberattack under way,” he said at Tel Aviv University’s annual Cyber Week conference here Monday.
It wasn’t until the medical staff turned on the TV that they saw reports that hospitals around England were just four hours into dealing with a massive ransomware attack. The damage could have been worse, had a British hacker not discovered and used a “kill switch” bug in the ransomware, many cybersecurity experts believe. That hacker, Marcus Hutchins, is now facing charges in the United States for allegedly creating the Kronos malware, which steals money from victims’ bank accounts accounts.
Thirteen months after the ransomware attack grabbed computers by the throat, the WannaCry victim numbers remain an impressive high-water mark of disruption: Across 150 countries, more than 300,000 computers were infected, including 30 percent of computers used by England’s National Health Service. WannaCry overwhelmingly affected computers running the 8-year-old Windows 7: 98 percent of WannaCry infections were on Windows 7 machines.
The hackers behind the attack collected $140,000. And because WannaCry disproportionately affected hospital computers, Dr. Bleetman argues, they had a notable real-world impact.
Hospitals were forced to adjust how they care for the sick and injured, he says, acknowledging that some medical professionals’ accounts amid the attack counter the NHS’ official assertions. In some cases, they stopped admitting new patients. And while there isn’t direct evidence that WannaCry caused patient deaths, he argues, it forced delays in care that negatively impacted patient outcomes.
The first problem the British health care system faced, Dr. Bleetman says, was that it was nearly a decade into a plan to create specialty treatment centers across London.
“The rationale is that if you invest an extra 10 to 15 minutes in patient transport time to a center that specializes in trauma all the time, the results will be better,” he said. “And indeed they are very much better—that applies to strokes and heart attacks.”
While stroke centers and heart attack centers, which specialize in getting patients through early, critical moments of care, briefly shut their doors, patients were rerouted to less specialized facilities.
The sudden decomputerization of medicine was crippling. While the computers were down, Dr. Bleetman and the other senior medical staff carved up the Newham emergency room on a whiteboard into slices of eight or so patient cubicles per doctor. Then two or three junior doctors helped each senior doctor evaluate and diagnose patients.
As hospital staff reverted to paper registrations for new patients, they lost track of admitted patients—and where they were in their treatment plans. Dr. Bleetman and his colleagues couldn’t read radiology images, receive lab results, or book new appointments.
Without the hospitals’ network, doctors also couldn’t share CT scan images. And without expert reads of CT scans (the computers they use to read CT scans weren’t working either), they lacked confidence in operating on patients that needed more invasive treatment.
The CT scanners themselves still functioned, however. They could store about 120 scans on their local hard drives. So doctors became “very selective” in choosing which patients they would scan. They set broken bones with casts and splints, and told patients to return in two days for a more thorough diagnosis. By then, they hoped, the computers would be functioning again.
“The first day, fortunately, no major trauma patients arrived. One PCI patient [a patient who needs an angioplasty with a stent], managed locally with old treatment protocols, subsequently got transferred a couple of days later.”
When asked to comment, the NHS pointed to a February report on the impact of WannaCry on England’s health care system by William Smart, its chief information officer. The report concludes that the agency did not adequately keep its computers and devices patched before the attack, and that future attacks may stretch resources despite a renewed emphasis on applying patches in a timely manner.
“Cyberattacks create the potential for a long-running, highly intense incident,” according to the report. “NHS England needs to ensure that it has the capacity to rotate its incident coordination centre and senior leadership to effectively manage the response.”
And while the report notes that NHS has reduced the number of unpatched computers on its networks, fending off cyberattacks requires more than patching, cautions Dr. Nick van Terheyden, founder and CEO of Incremental Healthcare, a healthcare consultancy.
“Not a discredit to the NHS, but the reality of this is that it doesn’t matter if you patch 100 percent of the time. There is no perfect security,” he says. “When we mess up in health care, it’s not just a few million dollars; this impacts patients, and patients are harmed.”
In a conversation following his presentation, Dr. Bleetman says there was little communication between medical staff at hospitals to compare notes on how they were dealing with WannaCry. And even a year later, he says, he hasn’t received new guidance from the NHS on responding to a cyberattack—or operating during one.
“There’s been very, very little change in preparation for a cyberattack. I’m not aware of anything—any change in policy, or change in software,” he says. “It’s a very real threat. My personal feeling is that not much has happened in the U.K. to prevent against further episodes.”