England's NHS Trusts frequent ransomware targets

A new Freedom of Information request has shown the extent of attacks against NHS Trusts in England.

Even NHS Trusts in England are not immune to cyber-attacks, especially ransomware. This is according to a new report by the cyber-security firm NCC Group. The company sent out a Freedom of Information request (FOI) towards 60 Trusts, asking if they were attacked by ransomware in the last 12 months. Thirty-one declined to answer, citing patient confidentiality. However, 28 confirmed to have been attacked, with just one saying it hasn't been a target. That one has been hit in the past, though.  

“The damage that a successful ransomware attack can cause makes these findings not simply an issue for a Trust’s IT team, but for its board of directors too. Paying the ransom – which isn’t something we would advise – can cost significant sums of money, yet losing patient data would be a nightmare scenario for an NHS Trust,” said Ollie Whitehouse, technical director at NCC Group. 

Ransomware is a type of malware, usually spread via email attachments. Once downloaded and ran, it encrypts all the data on a computer (and sometimes the entire network), blocking access to data until a ransom is paid. The ransom is usually requested in cryptocurrency bitcoin, and varies depending on who the attacker is and which industry is being attacked. 

“In the past the ransomware writers were sometimes quite careless and there was often a way to retrieve files. However, they have improved their capabilities and data retrieval is usually no longer an option. It makes preparation even more important.” 

The best way for organisations to defend themselves from ransomware is to educate their employees of the dangers of the online world.  

“There is no silver bullet or one single solution that can stop this type of attack, despite what many security companies may claim. Instead, we would recommend a multi-layered approach, applying robust controls such as regular patching of software, using up-to-date anti-virus and educating staff as to the risks posed by phishing and ransomware.”