Chinese hackers could bring the NHS to its knees by exploiting a known software flaw, experts warn.

Deputy Prime Minister Oliver Dowden today blamed ‘hostile’ Beijing-backed actors for a series of cyber attacks on the British public and elected officials. 

This includes a ‘complex’ 2021 attack on the Electoral Commission, the body which oversees elections and political donations in Britain.

The cyber attack – which went undetected for a year – breached personal details, including the names and addresses of 40million Brits. 

It is not known for certain how much of this information was accessed.

Chinese hackers could bring the NHS to its knees by exploiting a known software flaw that allowed them access to 40million Brits' personal details, experts warn (stock image)

Chinese hackers could bring the NHS to its knees by exploiting a known software flaw that allowed them access to 40million Brits’ personal details, experts warn (stock image)

China's foreign ministry has today insisted that countries should not 'spread disinformation' by making accusations without a 'factual basis'

China’s foreign ministry has today insisted that countries should not ‘spread disinformation’ by making accusations without a ‘factual basis’

Cyber security experts fear Brits’ medical data held by the NHS could also be at risk from the same software flaw used to hack the Electoral Commission.

Patrick Burgess, information security specialist at the British Computer Society, The Chartered Institute for IT, told MailOnline: ‘It has been reported that the initial ingress point for the Electoral Commission attack may well have been through the Exchange Server Vulnerabilities.

‘The NHS will absolutely be utilising this software along with a significant number of other organisations.’ 

Mr Burgess claimed, in real terms, a similar attack to the Electoral Commission on the NHS could have far reaching consequences, including potentially the blackmail of individuals.  

He said: ‘The NHS holds lots of personal data in lots of systems.

‘An attack on any of these which resulted in confidential data being leaked could be very painful for the individuals and lead to a risk of blackmail or phishing.

‘If this were to happen it would be critical that the NHS communicated quickly and clearly with the impacted individuals so they could be prepared for any further escalation.’

Mr Burgess, whose organisation has royal charter to set and maintain standards within the IT profession, added a politically-motivated ransomware attack was also a possibility if actors managed to access NHS systems ahead of time.  

‘The chance of a ransomware attack on national infrastructure is real and could be timed to coincide with a political event,’ he said.

However, Mr Burgess said that in contrast to the WannaCry attack on the NHS in 2017, which was an opportunistic attack, a politically-motivated equivalent would require hackers to be in a system already, waiting for orders to strike.

The upside of this is there is a chance NHS IT professionals could spot the hackers before the attack was launched and stop access, he said.

‘This would be where our monitoring and detection systems would have a chance to detect the behaviour before it became reality,’ he said.

However, echoing concerns from MPs and PM Rishi Sunak, Mr Burgess said the cyber threat posed by a nation like China cannot be underestimated. 

‘This level of threat actor, in this case reported to be China, has significant resource and expertise and we should continually be looking at our security posture to protect against past, current and emerging threats,’ he said.

He said unknown software vulnerabilities that allow hackers to access data are among the biggest cyber threats to organisations, something state-actors like China are keenly aware of. 

‘Threat actors such as China are continuously looking for these to exploit and the software manufacturers are continuously having to react to patch,’ he said.

‘We need to ensure rigorous update and monitoring policies are in place to mitigate these issues as fast as possible when they emerge.’

Mr Burgess added cyberattacks are impossible to fully prevent and the NHS should have preparations in place in what to do should they occur.  

A MailOnline's probe ¿ which goes up until January 2023 ¿ revealed the most common breach was for someone getting unauthorised access to people's personal data (335 incidents). More than 250 of the incidents recorded related to staff faxing or posting data to the incorrect recipient. Another 174 breaches related to documents being emailed to the wrong person

A MailOnline’s probe – which goes up until January 2023 – revealed the most common breach was for someone getting unauthorised access to people’s personal data (335 incidents). More than 250 of the incidents recorded related to staff faxing or posting data to the incorrect recipient. Another 174 breaches related to documents being emailed to the wrong person

‘As it is impossible to make the risk of an attack zero, we have to work under the assumption it will happen at some point and implement multiple layers of protection for data, so we are not just relying on one,’ he said. 

He added: ‘When they do happen, we need to be better at communicating quickly to the impacted individuals what has happened and what they can do to minimise the impact on themselves.’

An NHS England spokesperson said: ‘The NHS faces a broad range of cyber threats and over £338million has been invested since 2017 to help keep health and care organisations safe.

‘NHS cyber security specialists monitor for new threats 24 hours a day and we also support organisations across the NHS with advice, assessments, and training.’

The NHS didn’t comment on any specific steps it has taken in the wake of the Electoral Commission hack to protect patients’ data.

It also didn’t confirm if any similar data breaches had occurred since August 2021.

The UK’s data watchdog the Information Commissioner’s Office (ICO) said it was unable to confirm if any data breaches similar to that suffered by the Electoral Commission have occurred in the NHS due the way data breaches are recorded.

An ICO spokesperson added: ‘Our enquiries into the Electoral Commission incident are ongoing. 

‘If anyone is concerned about how their data has been handled, they should get in touch with the ICO or check our website for advice and support.’ 

It comes as Deputy PM Oliver Dowden is expected to take the dramatic step of accusing China of being behind a hack that accessed the personal details of 40million Brits. 

He is set to link China to the attack on the Electoral Commission, which admitted last August that ‘hostile actors’ had got into its systems as far back as 2021. 

In a statement to the Commons this afternoon, Mr Dowden is also set to point the finger over the ‘impersonation’ of MPs online. 

Officials could be subject to sanctions, with the action likely to be coordinated with other Western countries.

However, critics have accused the government of acting too slowly and raised concerns that the response will not go far enough.

China’s foreign ministry has today insisted that countries should not ‘spread disinformation’ by making accusations without a ‘factual basis’.  

A small group of politicians who are hawkish on China are also said to have been called to a briefing by Parliament’s director of security, Alison Giles, in relation to the cyber activity.

They include former Tory leader Sir Iain Duncan Smith, former minister Tim Loughton, crossbench peer Lord Alton and SNP MP Stewart McDonald.

The four are members of the Inter-Parliamentary Alliance on China (IPAC) pressure group, which focuses on issues involving the increasingly assertive Asian power.

Seventy-five NHS bodies have been investigated by the ICO for data breaches since 2021. Such investigations do not necessarily mean personal data was exposed or that the NHS organisations was at fault, with many investigations concluding that ‘no further action’ was required or that only advice from ICO was provided. However, five NHS bodies were issued with formal reprimands as a result of investigations

In a statement today, Sir Iain, Mr Loughton and Mr McDonald said: ‘Together with other members of parliament, activists, and dissidents, we have been subjected to harassment, impersonation, and attempted hacking from China for some time.’

‘Neither we, nor other parliamentary colleagues, will be bullied into silence by Beijing. For years the behaviour of the Chinese government has gone unchecked. 

‘Today’s announcement should mark a watershed moment where the UK takes a stand for values, human rights, and the international rules based system, upon which we all depend.’

Luke de Pulford, executive director of IPAC, told the BBC’s Today programme that the government had taken two years to ‘call out’ the behaviour of China.

He said it was ‘ludicrous’ there is still a debate on whether China should be treated as posing an ‘enhanced’ risk of meddling. 

But China’s Foreign Ministry said Beijing is a ‘main target’ of hacking, suggesting that the UK needed to cooperate more.

According to a translation, spokesman Lin Jian said: ‘We combat all sorts of malicious actions online, and we advocate all countries to deal with this together through dialogues and cooperation.

‘Tracking of origins of cyber attacks is highly sensitive and complicated. It must be fully backed with objective evidence, and one should not pin the blame on certain countries without any factual basis.’

He added that countries needed to ‘stop spreading disinformation and take a responsible attitude’.

HOW DID THE 2017 WANNACRY CYBER ATTACK CRIPPLE THE NHS?

More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack in May 2017.

Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.

NHS officials claimed 47 trusts were affected – but the National Audit Office (NAO) found the impact was far greater, and in fact 81 were hit by the attack.

When the attack started on May 12, it ripped through the out-of-date defences used by the NHS.

More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May

More than a third of hospital trusts had their systems crippled in the WannaCry ransomware attack last May

The virus, which spread via email, locked staff out of their computers and demanded £230 to release the files on each employee account.

Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. 

Locked out medics had to rely on pen and paper, while crucial equipment such as MRI machines were also disabled by the attack.

The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals even had to divert ambulances away at the peak of the crisis.

Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7, that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.

NAO claimed the cyber attack could have easily been prevented. Officials were warned repeatedly about the WannaCry virus beforehand, with ‘critical alerts’ being sent out in March and April.

Foreign Office minister Lord Ahmad confirmed the attack was carried out by the notorious North Korean cyber espionage group Lazarus. 

Computer systems in 150 countries were caught up in the incident, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid. 

The Department of Health said that from January 2018 hospitals will be subject to unannounced inspections of IT security.  

You May Also Like

Crucial vitamin can ease symptoms of people suffering with deadly lung condition, research finds

Sufferers of a deadly lung condition could improve their quality of life…

Colorectal surgeon shares five common foods linked to increased bowel cancer risk

A colorectal surgeon has given a shocking insight into the rising number…

Top NHS doctor warns ‘stay away from A&E’ this winter

A top NHS doctor is urging people to stay away from A&E…

Labour MUST end the cruel postcode lottery on osteoporosis – and I should know, as I have the bones of a 90-year-old, says TV's DR SARAH JARVIS, 61

A growing chorus of the nation’s leading experts in osteoporosis are calling…