The calm before the storm – the risk of ransomware in UK healthcare

Add Favorites Contact Author

Written by Ellen Derrico, Senior Director, Healthcare & Life Sciences, RES


The calm before the storm – the risk of ransomware in UK healthcare

Ransomware is an undeniable danger to hospitals, and in turn, to peoples’ lives. In 2015, the healthcare industry was attacked more than any other sector with notable targets including hospitals in California, Washington and Kentucky.

Worryingly, it is proving difficult for hospitals to defend against the threat of ransomware. So much so that the FBI admitted that the best way to deal with these attacks was to simply pay the ransom – in order to regain control and prevent long-term damage and risk to patients. It is this fear that ransomware attackers harness, and arguably such warnings have fanned the flames of cyber crime more widely. Hospitals are undoubtedly a vulnerable target – and ransomware attacks on these types of institutions will only increase.

Is the NHS at risk?

The most high profile cases of hospital hackings have come from the US. However, according to a recent survey by Sophos, only 10% of the NHS has a “well established” approach to encryption. In other words, 90% of the organisation had a poorly established, or even ad hoc, approach. A worrying thought for an institution that cares for a population of over 60 million. And it is already evident that branches of the UK government are vulnerable, with Lincolnshire County Council falling victim to a cyber attack in January.

Of course, the private structure of healthcare in the US makes it a more appealing target. But, ransomware originated in Europe and has been merely honed to American targets. It’s now evolved into a sophisticated form of organised crime – involving ransomware as a service and victim support chat lines – and Europe is undoubtedly at serious risk.

The life and death nature of healthcare data

The NHS in 2014 topped the UK data watchdog’s so-called ‘naughty list’ of companies that suffered the most serious data breaches. Clearly then, if the NHS is vulnerable to having its data compromised or stolen, then it is just as vulnerable to having its data locked down and held to ransom.

And there is good reason why the NHS would be a valuable target for ransomware criminals. While data from a financial services company, law firm or political organisation is often highly confidential, healthcare data can literally mean life or death. Companies in almost all industries, perhaps excluding vital utilities, can continue to operate if their data is locked down or isolated. Hospitals do not have that option. In most cases they will have to pay a ransom so that clinicians and other medical professionals can continue to provide critical medical care.

Take any hospital across the country as an example of how damaging a severe ransomware attack can be in a healthcare context. If a hospital, for example, were to be attacked, then lives could well be lost in critical departments such as emergency or the ICU. If clinicians cannot access the data due to being locked out from it, then they are completely unable to administer further medication or operate. It’s no surprise that cyber criminals are targeting hospitals then.

The hidden costs

This fact is clearly understood by criminals. That’s why a distinguishing feature of healthcare ransoms is that the amounts requested are often lower than those for financial data. Take the Hollywood Presbyterian hack for example. They were only held to a $17,000 ransom – a relatively low figure to potentially save lives.

This is merely the tip of the iceberg when it comes to the true cost of being locked out of medical data. The impending General Data Protection Regulation (GDPR) will make any data breach extremely costly. Fines, legal fees and upgrades will mean that the cost can end up multiplying to far more than the ransom itself. Alongside the extensive financial cost, hospitals also have to worry about the reputational fall-out. Just this week the Indiana hospital DeKalb Health experienced a ransomware attack – and while they didn’t pay a ransom – the damage to their reputation and the media coverage received is highly costly in a non-financial way.

Preparing for an attack

To avoid such instances, healthcare professionals need to be aware of the impact this could have on them, and seek to best protect themselves against such a scenario coming true. Of course, ransomware and cyber criminality in general is always evolving, meaning it can never be stopped entirely. But, there are a number of steps that a healthcare organisation can take to make sure they are fully prepared and protected.  Below is a quick guide to the five key tips for firms to better combat ransomware:

  1. Always have a back-up: Back-ups in healthcare are a must. If a hospital’s network is infiltrated and locked, it could mean life or death. Coupled with this is the fact that ransomware hackers, even if paid, might not hand back encrypted data, or if they do it could be in a completely different format and compromised. Therefore a back-up should be the very first step.
  2. Educate your workforce: Cyber criminals often consider employees as the weak link. Therefore, they attack the network through phishing campaigns and adware. With this in mind, ensure your workforce understands the warning signs and can flag a suspicious email. This will stop many attacks at the root.
  3. Employ technology roadblocks: In order to make your network as safe as possible, employ proven technologies to act as stumbling blocks to would-be hackers. These technologies include permission-based access that only grants users access to the information on the network they need; whitelisting and blacklisting applications and read-only blanketing that prevents programmes executing changes on the system. Alongside these, software, applications and patches should be regularly updated to prevent attacks, stolen devices should have their access revoked and thumb drives locked to prevent a network being infected via a USB stick.
  4. Be vigilant: Hospitals should always assume they are being attacked. Due to the highly sensitive nature of their data – every hospital should always carry out penetration tests regularly, and even hire ethical hackers to continually expose vulnerabilities.
  5. Cyber-insurance: The cost of a ransomware attack, and the regulatory consequences, can be detrimental to any company. So, insurance should definitely be considered in order to prevent permanent closure and long-term damage.

The time to act is now

The UK must look and learn from the ransomware wave sweeping across the US healthcare industry – and understand how severe attacks can be. Especially as ransomware is continually evolving, improving and growing in sophistication.

By following the above steps, hospitals and those in the healthcare industry can begin to prepare for an attack – and really dig their trenches. Extensive back-ups, education, technology and insurance can all minimise the threat of ransomware before the threat travels back across the Atlantic on a large-scale.