Tony Rowan, chief security consultant, SentinelOne, discusses the dangers that the NHS is facing from ransomware attacks.
Ransomware continues to target the public sector, with NHS trusts being added to the long list of victims. A recent Freedom of Information study carried out by SentinelOne revealed that 30% of NHS Trusts have suffered a ransomware attack, potentially placing patient data, systems, and ultimately, lives at risk.
A total of 129 NHS trusts were contacted for the Freedom of Information study, of which three declined to participate. Of those who did respond, all but two NHS trusts have invested in antivirus security on their endpoint devices to protect them from malware. However, one trust – Imperial College Healthcare NHS trust – admitted to being attacked 19 times in just 12 months. These results alone highlight the fact that old school antivirus technology is powerless to halt virulent, mutating forms of malware like ransomware and a new, more dynamic approach to endpoint protection is needed.
Ransomware designed to encrypt data and demand a ransom to decrypt it has been affecting US hospitals for a while now, with the Hollywood Presbyterian Medical Center in Los Angeles notoriously paying cybercriminals £12,000 in early 2016 after being infected by Locky, one of the most prolific ransomware variants. Now, it seems UK hospitals are not immune to these attacks.
Of those NHS trusts hit by ransomware, 15 were able to provide further information about the origins of the attacks. In 87% of instances, the attacker gained access through a networked NHS device, with 80% targeted via phishing attack. Whilst the majority of trusts were unable to identify their attacks, one confirmed it was organised cyber criminals with another believing the attack to be conducted by opportunistic hackers. The interesting thing to also note is that none of the Trusts paid the ransom or even recorded the amount demanded. Likewise, none of the trusts reported the attacks to police or any other legal authority.
The question is, if these NHS trusts aren’t paying the ransomware, why are they such a popular target? The answer lies in the fact that public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short-changed when it comes to security basics. Healthcare has also been seen as a primary target for ransomware attacks because the data they hold can literally mean the difference between life and death. In the past NHS trusts have been singled out by the ICO for their poor record on data breaches and, with the growth of connected devices like kidney dialysis machines and heart monitors, there is even a chance that poor security practices could put lives at risk.
Halting the infection
With a growing appetite for sensitive medical data amongst the hacker community, there are concerns that, as the NHS moves towards a ‘paperless’ system by 2030, the ransomware problem will become even more severe. With patient data and critical healthcare and safety systems at risk, it is now vital to the health of these Trusts – and their patients – to go beyond a standard defensive approach to cybersecurity which is solely based on knowledge of existing attack methods. These technologies are unable to detect malware which has been modified to evade signature-based protection or even smarter malware which can recognise when it is in a virtual environment. It’s time to consider different solutions using advanced signature-less detection techniques to protect against malicious malware. In addition, Trusts should implement regular backup processes, either on alternative machines or, preferably, somewhere offsite, allowing data to be more easily recovered.
Ransomware will continue to evolve and become ever more sophisticated, but, by maintaining good endpoint protection, regular patch updates and an effective backup system, any Trust will be able to take measures to fight infections and have the correct treatment plan in place.