banner generic


Case Study

Disruption of Entire Hospital Network by Malware Virus


In May 2017, the UK’s National Health Service (“NHS”) was disrupted after its computer network was infected by the “WannaCry” malware. WannaCry encrypts a computer’s files and demands that the victim makes a ransom payment (in Bitcoins) before allowing access to the files.

The malware spread by exploiting a vulnerability in the Microsoft Windows operating software and through “phishing” emails. Victims received emails with a purportedly legitimate attachment but which actually contained the virus. Clicking on the attachment infected the victim’s computer and then spread across the network to which the computer was attached. According to UK media reports, approximately 90% of NHS computers were vulnerable to WannaCry because they ran a 15-year-old operating system. The NHS had to cancel non-urgent surgery and other services until the network was repaired.

This follows an incident that affected the Royal Melbourne Hospital (“RMH”) in January 2016, when malware targeted computers that ran on the same operating system and which bypassed RMH’s antivirus software using an exploit in the operating system RMH used on approximately half of its computers linked to its network.

At the time of the attack on RMH, it was approximately 50% through the rollout of an updated computer system. However, prior to the attack, RMH did not give the rollout a high priority, on the basis that a more measured rollout would smooth the need for change management internally. As a result of the virus, RMH could only process urgent pathology specimens.

How it happened

Both WannaCry, and the QBot malware that affected RMH, spread through their victims’ networks using phishing emails. The emails were designed to look legitimate and sent from a purportedly legitimate source. However, the attachment included with the email would contain the virus and once activated, the virus would spread rapidly through the victim’s computer network.

Key takeaways

Health service providers should educate employees on identifying suspicious emails, as well as employ other risk management strategies including:

  • More complex passwords and ensuring that all devices are password-protected;
  • Update all software regularly and consider replacing vulnerable programs as quickly as possible;
  • Maintain current cyber-protection software, including firewalls, anti-spyware, antivirus and anti-malware software;
  • Ensure the deletion of all computer files from any hardware which is discarded or transferred;
  • Use two-step authorisation process where possible;
  • Update and train staff on policies relating to the handling of confidential and sensitive information (including personal data); and
  • Update and regularly test disaster recovery and business continuity plans to determine whether, in the event the computer network is infected by malware, the provider can recover from such an event and continue business as usual.