I am writing to you under the Freedom of Information Act 2000 to request the following information for the period 1st January 2017 to 22nd May 2017:

Transcription

1 Response sent by 13 June 2017 St Helier Hospital Wrythe Lane Carshalton Surrey SM5 1AA Tel: Direct dial tel: Re: Freedom of Information request - Ref: FOI 4054 Thank you for your recent request for information under the Freedom of Information (FOI) Act. Set out below is your original request followed by the Trust's response. I am writing to you under the Freedom of Information Act 2000 to request the following information for the period 1st January 2017 to 22nd May 2017: Q1. Details of any ransomware that has affected any of the IT systems used by the Epsom and St Helier University Hospitals NHS Trust. In each case this should include: a. The name of the ransomware b. The systems affected by the attack and what it is normally used for c. The operating system being run d. When and for how long systems were affected e. How the systems were affected, i.e. whether files were decrypted, systems locked, or other (please specify) f. What would happen if the ransom was not paid g. How the ransomware gained access to the network, i.e. phishing , USB stick, other (please specify) h. The ransom requested i. If the ransom was paid and the total ransom paid for the attack j. The number of medical activities (e.g. operations, scans, prescriptions, etc) that had to be suspended or altered during the infection period A1. We had no Ransomeware attacks for the period 1st January 2017 to 22nd May Q2. Details of any other type of malware that has affected any of the IT systems used by the Epsom and St Helier University Hospitals NHS Trust. In each case this should include: a. The name of the malware A2. a. Please see Appendix 1. b. The systems affected by the attack and what it is normally used for Great care to every patient, every day Patient Advice and Liaison Service (PALS) Main Switchboard Chairman Laurence Newman Chief Executive Daniel Elkeles

2 A2. b. Desktop PC s used in Administrative and Clinical areas c. The operating system being run A2. c. Windows XP and Windows 7 d. How the systems were affected, i.e. whether files were decrypted, systems locked, data stolen or other (please specify) A2. d. No infections due to Virus protection e. When and for how long systems were affected A2. e. N/A f. How the ransomware gained access to the network, i.e. phishing , USB stick, other (please specify) A2. f. N/A g. The number of medical activities (e.g. operations, scans, prescriptions, etc) that had to be suspended or altered during the infection period A2. g. Zero Q3. Any correspondence between senior members of staff about incidents logged as part of 1 and 2. A3. Please see attached alerts sent to all users. Q4. Any correspondence between the Epsom and St Helier University Hospitals NHS Trust and government departments logged as part of 1 and 2. A4. No If you have any queries about this letter, please contact the Freedom of Information office. Please remember to quote the reference number above in any future communications. If you are unhappy with the way in which your Freedom of Information request has been handled and wish to raise any concerns, please contact Meg Stevens, Head of Governance, at the address above or by (meg.stevens@esth.nhs.uk). Should you still be dissatisfied with the outcome, you are entitled to contact the Information Commissioner at: Information Commissioner s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Yours sincerely Great care to every patient, every day Patient Advice and Liaison Service (PALS) Main Switchboard Chairman Laurence Newman Chief Executive Daniel Elkeles

3 Teresa O Brien Freedom of Information Manager Corporate Affairs Epsom and St Helier University Hospitals NHS Trust T: E: teresa.obrien@esth.nhs.uk W: Great care to every patient, every day Patient Advice and Liaison Service (PALS) Main Switchboard Chairman Laurence Newman Chief Executive Daniel Elkeles

4 Threat Name Number of Threat Events Total 20,336 VBS/Downloader.br 19,453 Artemis!9402EEAAA Generic!atr 71 Generic Malware.eb 52 Spyware-ActMon 48 VBS/Autorun.worm.k 32 VBS/Agent.d 21 RDN/Generic.grp 16 JS/Redirector.dg 15 JS/Redirector.de 14 SWF/Exploit-Rig.b 10 JS/Redirector.dr 9 BackDoor-FCWZ!26EAFF BackDoor-FCWZ!B5EF1DD895F3 7 RDN/Generic PUP.x 7 Artemis!0EF2CEBB39CA 6 Generic Dropper.xj 6 RDN/Generic Downloader.x 5 Trojan-FJUK!5B7298A6B78E 5 JS/Nemucod.st 4 JS/Nemucod.us 4 Exploit-RTF.c 3 Generic PUP.z 3 PUP-XAT-IV 3 W97M/Downloader.awq 3 Artemis!233F9CD30EE8 2 Artemis!7E7229BA9B40 2 Artemis!9CAEC71BDBEC 2 Artemis!B931A59C Generic PUP.y 2 JS/Nemucod.eq 2 RDN/Generic.com 2 RDN/GenericRXBJ-FU 2 RDN/PWS-Banker 2 RDN/Ransom 2 W32/Gamarue.d!lnk 2 W32/Mariofev!mem 2

5 W97M/Downloader.aoa 2 W97M/Downloader.aoc 2 W97M/Downloader.axs 2 Adware-OtherSearch.c 1 Artemis!1FDC5039A4AC 1 Artemis!21DAD27B803F 1 Artemis!3CA846C567A2 1 Artemis!539811BDB6FC 1 Artemis!59EE5C76CD3C 1 Artemis!71D Artemis!8BB90BD Artemis!8D4F858CE650 1 Artemis!985E592357CE 1 Artemis!B0C446727F3C 1 Artemis!B3A28D69F0CA 1 Artemis!F48F D 1 BackDoor-FDEP!594C12F BackDoor-FDFA!2150DC0F23ED 1 Exploit-CVE c 1 Gamarue-FDL!2F3DB8029C6E 1 Gamarue-FDL!6701D2D5EA66 1 Generic Trojan.c 1 GenericRXAH-QS!2971D4C GenericRXAS-PY!E794005DF094 1 GenericRXAW-QP!105F9101EC1F 1 GenericRXAX-KK!1A90A7EB6CF0 1 GenericRXAY-ZK!BB984153ADB8 1 GenericRXBJ-HH! ECD1 1 GenericRXBJ-HH!7E89DA741D8E 1 HTML/Phish-SiteFraud.n 1 JS/Downloader.gen 1 JS/Nemucod 1 PUP-FOV 1 PUP-FRW 1 PUP-XAS-ZU 1 RDN/Generic PWS.y 1 Trojan-Dridex!267C2CAFDA79 1 Trojan-Dridex!D C 1 Trojan-FHRE!24BCA605D112 1 Trojan-FHRE! DF 1

6 Trojan-FHRE!512F2772C54E 1 Trojan-FHRE!69A19B3F394F 1 Trojan-FHRE!6E2C61FE668A 1 Trojan-FHRE!715C07EAB0DA 1 Trojan-FHRE!824B87CDCF83 1 Trojan-FHRE!9192A3ED2DA5 1 Trojan-FHRE!93AD83E568CB 1 Trojan-FHRE!940D2EA1453E 1 Trojan-FHRE! A80 1 Trojan-FHRE!BFBF4DDEA598 1 Trojan-FHRE!D04FC9BAB692 1 Trojan-FHRE!EE49679D0D22 1 Trojan-FHRE!EF77E25C2B94 1 Trojan-FHRE!F0C9BC5A3B4A 1 Trojan-FHRE!F6E2C7A20D31 1

7 All staff s regarding the Cyber attack National IT incident Update Last update: 12 May 2017 at 18.15pm Due to the serious cyber-attack affecting IT systems in some trusts and GP practices across England, we will be as a preventative measure shutting down the system. We will inform you when the system is back up through the site CSM s. We request all users do not open any attachments or launch links from any s, even if you believe it to be safe or from a known person. If you have any doubt about an , please do not open it at all. If you are using an NHS.net account please do not open any s as we are unable to prevent an attack via NHS.net. Any staff using NHS.net please log off from and do not use your . ICT will provide an update as soon as possible. Who to contact: ICT Helpdesk Message from Daniel Elkeles Chief Executive Dear Colleague, You have been able to turn on your PC and open this morning because our IT team have worked all weekend to deploy the many patches and fixes that we have needed to put in place following the ransomware attack that you will all have heard about. My thanks go to all those staff who gave up pretty much their entire weekend to do this. So please can everyone make sure that they take sensible precautions when using your . Please treat the following points as hospital policy with immediate effect. 1) If an arrives in your inbox from a sender you do not recognise. DO NOT OPEN IT. Either delete it straight away or phone the IT help desk for advice. 2) If you do open an and it then looks suspicious. DO NOT OPEN any links or attachments in that . Doing this could well infect your machine. Contact our IT help desk for advice or just delete the . 3) No reputable organisation now asks you to enter any personal details into a response to an . Be extra vigilant even from apparently trusted sources. Please don't be fooled. I sincerely hope that we are able to have a smooth start to the week, but please be patient as we continue to work to ensure the IT service is robust. My sincere thanks to everyone who worked this weekend both clinically and in IT to ensure that

8 we kept our hospitals running. Daniel Who to contact: ICT Helpdesk