NHS cyber attack - information and guidance

Tue, 16/05/2017 - 10:47 -- admin

Following the weekends cyber attack EMIS Health have sent out an information and guidance e shot. You can read the complete article here.

NHS cyber attack - information and guidance

Summary of the attack 

A number of NHS organisations have been affected by a ransomware attack which took place on Friday 12 May 2017. This global attack was not specifically targeted at the NHS and is affecting organisations across a range of sectors. The attack used a malware variant called WannaCry which targeted unpatched Windows computer systems. 

EMIS Health hosted systems were unaffected by the attack and remained available throughout. Our client API was also unaffected and remains secure. We have a 24/7 cyber security team monitoring our systems, to help ensure that our systems remain protected from attacks such as this. 

Any software with local area network (LAN) data stores could have been impacted if your systems were affected by the ransomware attack. If you’re concerned you’ve been impacted, contact your local IT department in the first instance. 

If you have any queries related to EMIS Health specific software, keep an eye on the support centre, where we’ll continue to provide updates and answers to common queries. If you need any help with our software, contact our Support team. 

Advice for organisations affected by the attack 

If you think that any machine, including PCs and servers, within your IT environment has been infected by this malware (or any other virus) it is important that you immediately disconnect the relevant device(s) from your network and contact your local IT department. 

If you are affected, your local IT department will work closely with national NHS support, who in turn are working with the National Cyber Security Centre to restore access to your IT systems. 

Once your access is restored, your local IT department may need to rebuild your systems and reinstall software. 

If needed for any PCs running EMIS Web, you can reinstall the EMIS Health software deployment system (SDS) from here

If you use LAN based software, such as PCS LAN, and need to rebuild any servers, you’ll be able to use your backup tapes to restore your data. 

We strongly recommend you follow this threat specific advice and recommended best practice when rebuilding/restoring your IT infrastructure: 

Threat-specific advice 

If you haven’t been affected by the attack, then we recommend that you take the following steps as soon as possible so as to mitigate the threat. If you are affected, once your access is restored, we recommend you follow these steps to help protect you from further attacks:

  • Install the latest Windows update on all PCs and servers and ensure Microsoft security update MS17-010 has been applied. Microsoft have released security patches for currently supported operating systems, as well as a number of unsupported systems such as Windows XP and Server 2003. Install the updates from Control Panel > Windows Updates > Check for Updates, or visit the Microsoft website to learn more.
  • The vulnerable element of unpatched Windows systems which the ransomware took advantage of is called Server Message Block (SMB). SMB should be disabled if not required for business use, and all SMB-related patches should be applied to servers as soon as practical.
  • Install the latest antivirus (AV) updates from your AV provider. If you have Egton’s AV support for your spoke servers or client machines, you should have already started to collect the latest protection from our protection servers.
  • Send a notice to all of your users regarding the attack, explicitly reminding them not to click links or open files in emails from suspicious or unknown sources.
  • Review your current backup policies and procedures. You should be prepared to perform a system restore in case of infection.
  • It is, generally speaking, never a good idea to pay the ransom in a ransomware attack if at all avoidable as it will likely increase the chances of you being targeted again the future.

For any help following these steps, get in touch with your local IT department. 

Recommended best practice 

Following best practice will help to protect you and your organisation in the future. Minimum recommended best practices include:

  • Disabling default user accounts.
  • Educating your users to avoid following links to untrusted sites and opening attachments in emails from suspicious or unknown sources.
  • Configuring browsing software with the least privileges possible.
  • Turning on Data Execution Prevention (DEP) for systems that support it.
  • Maintaining a regular patch and update cycle for your operating systems and installed software.

If you have any problems with EMIS Health software, please do get in touch with our Support team. 

Our focus is on supporting organisations to manage the incident swiftly and decisively, and we will continue to communicate with NHS colleagues and will share more information as it becomes available. 

Further guidance 

Additional information regarding best practice and steps which you should be taking in relation to your IT security practices can be found at:

Frequently asked questions 

What should I do if I think my computer is infected? 

Immediately disconnect your computer from your network and contact your local IT department. 

How can I protect myself and my organisation? 

The attack on 12 May took advantage of a vulnerability in versions of Microsoft Windows which had not been recently updated. Ensure you’re on the latest version of Windows, and ensure your anti-virus software is up-to-date. For any help in doing so, get in touch with your local IT department. 

As an EMIS Web user, how can I reinstall SDS on a rebuilt machine? 

If needed for any PCs running EMIS Web, you can reinstall the EMIS Health software deployment system (SDS) from here

Were EMIS Health systems affected by the attack? 

EMIS Health hosted systems were unaffected by the attack and remained available throughout. Our client API was also unaffected and remains secure. 

I’m a user in Wales – is my system at risk? 

Thus far, Wales has remained unaffected by the attack. We recommend you follow best practice and ensure your Windows and anti-virus software are up-to-date. 

What about locally hosted systems, such as PCS LAN? 

Any LAN based systems could have been affected if your organisation fell victim to the attack. For PCS LAN systems, nightly backups should be running from your server to tapes. If your system has been affected and needs to be rebuilt, you can restore access with your latest backup tape. If you have access to EMIS Web familiarisation, you’ll be able to launch EMIS Web and get a read-only view of patient data, until your server is restored. 

What steps have EMIS Health taken to remain protected? 

Our 24/7 cyber security team monitors our systems to help ensure the remain protected from attacks such as this.
We have also disabled certain sharing functions with our customers, whilst the threat still exists in some affected NHS organisations. This means you won’t be able to add attachments to forum posts or incidents for the time being. 

We’ll continue to provide updates on the Support Centre. If you haven’t got a Support Centre account, you can register for one 

Test your knowledge

Use the EmisNUG courses to establish the knowledge level of you and your colleagues using Emis.

Try it today

"EMIS National User Group has made life for our non-technical users so much easier"


"Meeting a range of different users, there is always something to learn and to give back"


"I was really pleased to discover I was a member due to all the online tools."