Ransomware attacks on the up at NHS trusts

Written by Rebecca Hill on 11 October 2016 in News
News

The number of NHS trusts being targeted by cyber attacks is on the rise, with reports indicating that at least 28 were hit by ransomware in the past year.

NHS trusts are a target of cyber attacks - Photo credit: Fotolia 

The figures were obtained through a Freedom of Information request by cyber security firm NCC Group and released to the i newspaper.

They show that four of these were considered serious enough that they had to be reported as a potential breach of data protection or confidentiality laws.


Related content

Ransomware - what can public bodies do about it?
Earning public trust in the age of cyber threats


Such attacks see malicious software sent to a computer, often via an email link, which then blocks access to the system. The source will then demand a ransom is paid, which can be anything between hundreds and thousands of pounds.

The i newspaper said that NHS Digital acknowledged there had been an increase in attacks, but said that no ransom had been paid in any of the serious indicidents, and that no data had been lost.

The FOI also asked trusts if they had paid anything – but eight of the 28 that admitted to attacks would not comment on whether they surrendered nay funds, the newspaper reported.

Commenting on the case, Jonathan Lee, the UK healthcare sector manager at security firm Sophos, said that many attacks are short-lived, but that they can have big impact if they’re spread on highly trafficked sites.

“While putting IT at the heart of care within the NHS brings many gains in terms of care, it also means more opportunity for data breaches,” he said.

“In particular, the increased mobility of service delivery – especially when it comes to social care in the community – already involves the use of a wide variety of devices to access records and other patient data on the move.”

Lee pointed to a survey carried out for Sophos earlier this year, which found that, of 250 chief information or technology officers and IT managers in the NHS, 84% believed that encryption was necessary. Despite this, just 10% said it was well established in their organisation, while only 59% said they had email encryption.

However, the health service is not the only part of the public sector to be targeted by such attacks – in February this year, Lincolnshire County Council had to close down its entire network.

The ransomware, which got into the system because someone clicked a link in an email, did not release any data but did mean the council had to resort to paper for some time.

Lee said that public sector bodies should make sure their systems are up-to-date, that they require multi-factor authentication and encourage all staff to be suspicious of links and attachments in emails.

Share this page

Tags

Add new comment

Related Articles

Scottish digital strategy set out plans for assurance, training and common platforms
22 March 2017

The Scottish government will implement a “tough” assurance process for digital projects, mandate the use of common technologies and offer training to make sure civil servants “get digital”.

ICO: Councils need to sharpen up on data protection ahead of GDPR
22 March 2017

Survey shows lack of preparedness as data protection watchdog slaps £60,000 fine on Norfolk County Council

MPs and experts call for more digital health records as NHS mail goes undelivered
27 February 2017

The government has been urged to focus on speeding up move to digital healthcare records amid accusations that the NHS covered up the loss of more than half a million pieces of confidential...

HMRC claims digital tax success as personal registration exceeds 7m target
17 February 2017

There were 7.4 million people using a digital personal tax account by the end of 2016 – 400,000 more than its initial target – according to HMRC’s quarterly performance figures.