Ransomware attack shuts down NHS hospitals as malware spreads globally; 'evidence' of U.S. attack, says HHS

Updated Sunday, May 14.

A massive ransomware attack spread throughout countries in Europe and Asia on Friday, including Britain, where hospitals were forced to divert patients after malware prevented clinicians from accessing medical records.

Meanwhile, officials with the Department of Health and Human Services said there was "evidence" of an attack in the U.S., as security firm Avast reported there were more than 75,000 WanaCrypt0r 2.0 (aka WCry) ransomware attacks in 99 countries.

"HHS is aware of a significant cybersecurity issue in the UK and other international locations affecting hospitals and healthcare information systems," Laura Wolf, chief of the critical infrastructure protection branch at the Office of the Assistant Secretary for Preparedness and Response (ASPR), said in a statement.

"We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cybersecurity best practices—particularly with respect to email."

By midafternoon on Friday, officials with NHS Digital, which oversees cybersecurity for the national health system, told the New York Times that at least 25 hospitals had been hit by the attack.

A statement from NHS Digital released earlier in the day said at least 16 hospitals had been affected, but there was no evidence that patient data had been accessed.

On Saturday, NHS said thousands of operations and other appointments would be canceled and that it could take several weeks to fix aging computer systems hit by Friday’s attack. The NHS also said vital equipment, such as MRI scanners and X-ray machines, have been taken offline as they cannot be repaired immediately.

Anne Rainseberry, incident director at NHS, issued a statement on Friday reassuring patients that they could access services in an emergency but cautioned that hospitals were still dealing with the aftermath of the attack.

“More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing. NHS Digital are investigating the incident and across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business,” she said.

According to The Guardian, British Prime Minister Theresa May said the attack on NHS was part of a larger attack that struck 11 other countries, including Spain, Germany, Russia and Japan.

NHS officials believed the attack was a variant of Wanna Decryptor, a type of malware that locked down hospital computers so clinicians could not access patient records unless they paid the $300 Bitcoin ransom. The Times reported that the malware was developed by the U.S. National Security Agency and then leaked by a hacking group. Although Microsoft had released a patch for the vulnerability, many hospitals had not updated their systems.

The attack was slowed over the weekend by a 22-year-old being hailed as an "accidental hero," who found a kill switch in the virus. But, he told the U.K.'s Daily Mail, hackers are already trying to sabotage the fix.

NHS Barts Health, which operates four major hospitals in London, including The Royal London, issued a statement indicating it was canceling routine appointments, diverting ambulances to other hospitals and requested the public “use other NHS services whenever possible.”

“NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organizations and ensure patient safety is protected,” according to the statement issued by NHS Digital.

Consultants advised organizations to narrow down the patch and fix it as quickly as possible.

"The best route to take, though, is education and communication," Will Hinde, managing director in the healthcare practice at West Monroe Partners, a consultant firm based in Chicago, told FierceHealthcare. 

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

Creighton Magid, a partner at the international law firm Dorsey & Whitney based in New York City, said the NHS breach represents a new kind of attack that focuses on shutting down businesses and hospitals. 

"Let’s hope that the attack on the National Health Service in Britain is simply a matter of inconvenience, and that nobody is denied essential care," he said in an email to FierceHealthcare. "But what happens if someone is, and is harmed as a result? What if a US hospital were attacked similarly, and someone’s health were to be seriously impacted. Beyond the human tragedy, it would suggest possible new liability targets, starting with the hospital that failed to ensure that it had updated all of its patches."

Editor's Note: A previous version of this story misidentified the agency Laura Wolf works for. It has been updated for accuracy.