Whilst hospitals in the UK are slowly working towards meeting the NHS waiting time standards post-COVID, the Wirrall University Teaching Hospital NHS Foundation Trust (the Trust) faced a further setback attributed to a cyber-attack which took place in November 2024.
In a report published on 29 January 2025, the Trust provided details of the impact of the cyber-attack on the Trust and its patients, providing further first-hand insight from victims of such attacks of the long-running nature of the issues they face in the aftermath. It is expected that this impact will last for several months, further highlighting the importance of implementing procedures to minimise the risk of cyber-attacks in an ever-expanding "cyber world".
The Attack
The Trust experienced what it described to be a "major" cyber-attack on 25 November 2024 which was directed at its main clinical system, leading to the cancellation of all outpatient appointments and elective procedures (the Attack). Whilst very little is known publicly about the Attack, it appears that it was sufficiently serious to require a report to the Information Commissioner and the Department for Health and Social Care, in compliance with the Network and Information Systems Regulations 2018. However, the Trust has been able to confirm that the security of patient records and other sensitive information was maintained throughout the Attack.
In addition to the cancellation of various appointments and procedures, the Trust experienced interruptions to the recording of its activities into its health system, Cerner, which is used for administering electronic prescriptions. The Trust oversees Wirral Women and Children's Hospital, Clatterbridge Hospital and Arrowe Park Hospital – all of which were impacted by the Attack.
The clinical systems were affected for several days after the Attack, with systems only being reinstated on 4 December 2024. The Trust has stated that the significant impact is still felt today and that it will take a number of months for systems to recover to optimal performance.
Impact
One of the most significantly impacted units within the Trust is the cancer care unit, with the number of patients waiting to be seen reaching the highest levels recorded in 2024, shortly following the attack in December.
The Trust is subject to certain standards, set by the NHS for all regional trusts in relation to treating cancer patients. One of these is the 62-day referral to treatment (RTT) standard, which aims to provide patients with their first course of treatment within 62 days of being referred for an initial diagnosis.
As a result of the Attack, the Trust saw patient wait time increase to 174-day RTT as at 30 December 2024, compared to 90-day RTT in the three months immediately prior to the Attack. Although the festive period tends to have an impact on performance due to the inevitable reduced capacity, this was massively exacerbated by the Attack.
In addition to the real-life impact on its patients, the Attack resulted in significant financial losses. In a report to the Trust's board of directors on 29 January 2025, it was noted that the Attack contributed around £3.7 million to the Trust's overall £14.7 million forecasted deficit.
Insight
The Attack underscores a critical issue that has become increasingly prevalent within the healthcare sector: the vulnerability of digital systems to malicious cyber activities, and the long-lasting effects that these attacks can have. As healthcare providers continue to embrace digital transformation to enhance patient care and operational efficiency, the risk landscape evolves in tandem, necessitating robust cybersecurity measures.
This is not the first cyber-attack affecting the NHS and with its increased digitisation of systems, cyber-attacks have surged in frequency and are almost becoming an inevitability. The Trust's experience serves as a cautionary tale, highlighting the pressing need for healthcare organisations to not only invest in advanced technological defences, but also to cultivate a culture of cyber vigilance and a focus on cyber resilience.
The Trust has maintained that its cybersecurity function continues to meet performance standards. Whilst the Trust has not publicly identified the source of the Attack, nor a reason why the impact was so significant, one of the challenges identified in the aftermath of the Attack is the staffing shortfall in the Trust's intelligence and information department, which had reached 13.9% as of 29 January 2025. This gap in cybersecurity expertise is not unique to the Trust or the healthcare sector but is reflective of a national shortage of skilled cybersecurity professionals. Addressing this deficiency requires strategic recruitment initiatives, competitive remuneration packages, and the fostering of career development pathways that attract and retain talent.
The lessons from the Trust's experience are clear: cybersecurity must be prioritised as a core component of healthcare delivery. The same can be said for any other critical sectors. This requires an integrated approach that combines technological solutions, skilled personnel, and proactive risk management practices. Indeed, the Home Office has recently taken steps to address the growing threat of cyberattacks on public services and critical national infrastructure as detailed here.
If you would like to know how our Cybersecurity team here at Trowers & Hamlins can assist you, please get in touch with Charlotte Clayson and the Cybersecure 360 team.
