Production Perig - stock.adobe.c

NHS suffers fewer ransomware attacks, but threat persists

Ransomware attacks against the NHS have tapered off dramatically, according to statistics obtained under FoI legislation, but this does not mean the threat has diminished

Increased investment in cyber security around the NHS since the crippling WannaCry attack in 2017 has resulted in a dramatic drop-off in ransomware attacks in the past two years, according to statistics obtained by consumer cyber security services comparison website Comparitech.

Comparitech’s researchers submitted Freedom of Information (FoI) requests to all NHS trusts in the UK, asking how many ransomware attacks they had experienced since 2014, whether or not they had paid the ransom and how much it was, how much downtime the attack caused, and what the overall cost to the trust was.

In a newly published disclosure detailing its findings, CompariTech’s Paul Bischoff revealed that 65 trusts (34%) have been successfully attacked with ransomware since 2014, with 209 incidents reported in documents obtained, causing an estimated 206 days of total downtime. None of the affected trusts paid out a ransom.

Given that about 20% of trusts failed to provide any information, these statistics of course suggest that the true number of ransomware incidents, and resulting damage, is higher. CompariTech estimated that a further 23 trusts had probably been impacted.

The WannaCry crisis meant that 2017 was the biggest year for ransomware attacks against the NHS, with 48.3% taking place that year, compared to 21% in 2016, 20.6% in 2015, and a little over 3% in 2014, 2018 and 2019 combined. It is important to note, however, that many trusts are still processing 2019 data, so the total could rise, and 14 of the attacks were not dated.

“The lower number of attacks in 2018/19 does, hopefully, demonstrate that more robust procedures and systems are in place following the large-scale WannaCry attack in 2017,” wrote Bischoff.

“The downward trend coincides with increased spending from the NHS to secure local infrastructure, reduce vulnerabilities, increase cyber resilience, and update IT systems to Windows 10.

“Recommendations were also made for staff to complete cyber awareness training. And organisations were told to consider removing staff members’ access to IT systems if they hadn’t completed this mandatory training.”

In terms of downtime caused by ransomware, a good number of trusts said they did not record this information because it affected various departments, or staff costs were included as part of wider IT services metrics. Interestingly, some trusts said they saw zero downtime, although more usually they shut down systems as a precaution, and some had to reimage their PCs.

But the average length of shutdown was still 25 hours – a potentially dangerous length of time for healthcare organisations to be offline.

Working out the true impact of ransomware on the NHS also proved problematic for many respondents. Many trusts revealed different datapoints, such as additional staffing costs needed to restore IT systems, or the cost of replacement, and very few could calculate the impact on wider procedures, such as admissions, cancelled operations, and accident and emergency attendance.

Ransomware attacks also differed in their scale and severity, some of them affecting only a single endpoint, for example.

Read more about security in healthcare

  • It is especially important to secure data in healthcare environments, because patients’ information is on the line. Things get even more complex with BYOD in the mix.
  • What can the healthcare industry learn about security from finance, retail and manufacturing? Two CISOs who came to healthcare from other industries give their take.
  • Cleveland Clinic’s deputy CISO came to the 2019 CHIME Fall CIO Forum with a message: Migrating to the cloud won’t be easy, but the move is inevitable.

Official statistics on the financial cost of WannaCry – according to a report from the Department of Health and Social Care – suggest that in terms of lost output, the NHS was down £19m, with an additional £500,000 for IT costs, and £72m to restore systems and data, putting the total cost at £92m. This would suggest then when attacks from something other than WannaCry are taken into consideration, the true cost to the NHS of ransomware since 2014 almost certainly exceeds £100m.

Nevertheless, noted Bischoff, the decrease in attack volumes appears, at face value, to show that the money invested in security, coupled with the launch of NHSX, since the WannaCry attacks has had the desired effect, to some extent.

Even so, the NHS spends only about 2% of its total budget on IT, compared with 4-10% in other sectors, according to Saira Ghafur, digital health lead at Imperial College London’s Institute for Global Health Innovation. So the health service still needs more funding to replace ageing infrastructure and secure both endpoint devices and connected healthcare equipment, she said.

Speaking at a think-tank event on security in October 2019, Ghafur said the NHS faced other security challenges, particularly around skills. “We can’t compete with other sectors in terms of attracting cyber security professionals – we need to work with the industry to attract them into healthcare – and all NHS staff need better education in terms of risks,” she said.

Comparitech noted that, at present, there are no agreed minimum security standards in the NHS, and procurement policies still fail to set out adequately how to monitor and secure vital equipment. This means the equipment manufacturers have little incentive to pay proper attention to cyber security.

Bischoff sounded a warning that the lack of standards and safeguards is likely leaving the NHS exposed to other security threats, even though the threat of ransomware seems to have receded.

Another recent report, compiled by Clearswift and Vanson Bourne, backed up this point, revealing that more than two-thirds of UK healthcare organisations – not limited to the NHS – suffered a security incident during 2019. Besides viruses and malware infections, other factors in incidents in the sector included inappropriate sharing of data, failing to follow data protection protocol, and phishing and social engineering attacks.

Read more on Data breach incident management and recovery