30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These were the findings of a Freedom of Information request submitted by SentinelOne.
The Ransomware Research Data Summary explained that SentinelOne made FOI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex, and University College London Hospitals have invested in anti-virus security software on their endpoint devices to protect them from malware and, despite installing a McAfee solution, Leeds Teaching Hospital had suffered five attacks in the past year. No Trusts reported paying a ransom or informed law enforcement of the attacks, all preferred to deal with the attacks internally.
Ransomware which encrypts data and demands a ransom to decrypt it, has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.
With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it is clear to see why these types of attack can be a concern for business continuity professionals with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the number one concern. A very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week.
“These results are far from surprising,” said Tony Rowan, Chief Security Consultant at SentinelOne. “Public sector organizations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware and a new more dynamic approach to endpoint protection is needed. In the past NHS Trusts have been singled out by the ICO for their poor record on data breaches and with the growth of connected devices like kidney dialysis machines and heart monitors there is even a chance that poor security practices could put lives at risk.”
*Note that the data isn't always recovered, even after a ransom has been paid.