The number of NHS trusts being targeted by cyber attacks is on the rise, with reports indicating that at least 28 were hit by ransomware in the past year.
NHS trusts are a target of cyber attacks – Photo credit: Fotolia
The figures were obtained through a Freedom of Information request by cyber security firm NCC Group and released to the i newspaper.
They show that four of these were considered serious enough that they had to be reported as a potential breach of data protection or confidentiality laws.
Such attacks see malicious software sent to a computer, often via an email link, which then blocks access to the system. The source will then demand a ransom is paid, which can be anything between hundreds and thousands of pounds.
The i newspaper said that NHS Digital acknowledged there had been an increase in attacks, but said that no ransom had been paid in any of the serious indicidents, and that no data had been lost.
The FOI also asked trusts if they had paid anything – but eight of the 28 that admitted to attacks would not comment on whether they surrendered nay funds, the newspaper reported.
Commenting on the case, Jonathan Lee, the UK healthcare sector manager at security firm Sophos, said that many attacks are short-lived, but that they can have big impact if they’re spread on highly trafficked sites.
“While putting IT at the heart of care within the NHS brings many gains in terms of care, it also means more opportunity for data breaches,” he said.
“In particular, the increased mobility of service delivery – especially when it comes to social care in the community – already involves the use of a wide variety of devices to access records and other patient data on the move.”
Lee pointed to a survey carried out for Sophos earlier this year, which found that, of 250 chief information or technology officers and IT managers in the NHS, 84% believed that encryption was necessary. Despite this, just 10% said it was well established in their organisation, while only 59% said they had email encryption.
However, the health service is not the only part of the public sector to be targeted by such attacks – in February this year, Lincolnshire County Council had to close down its entire network.
The ransomware, which got into the system because someone clicked a link in an email, did not release any data but did mean the council had to resort to paper for some time.
Lee said that public sector bodies should make sure their systems are up-to-date, that they require multi-factor authentication and encourage all staff to be suspicious of links and attachments in emails.