Stand and deliver? Ransomware in the NHS
Several trusts have been forced to take key systems offline after ransomware attacks, taking a big hit to their reputations and waiting lists in the process. Surveys by security companies indicate that many more have had to repel borders.
Jason Allaway, vice president UK and Ireland for one of these companies, RES, says: “Previously, UK healthcare was not seen as a target, because there were bigger financial rewards [for hackers] elsewhere.
“But hackers have started to realise that healthcare data is valuable; and that hospitals may have to pay up because they cannot risk their patients’ wellbeing.”
What is ransomware?
The idea behind ransomware is surprisingly simple. Hackers find a way to infect a computer or electronic device with malware that either encrypts its data and holds it hostage until a ransom is paid or, less frequently, threatens to make the data public until the same thing happens.
Typically, the attack is carried out using a Trojan; a program that looks legitimate but isn’t. Often, the Trojan will sneak in via an email link or attachment that tempts people to click.
Ransomware has been around for a long-time, but it really came to public attention around 2013, with variants such as CryptoLocker and CryptoWall.
More recent, and more destructive, variants include Locky, which came to prominence in 2016 and which spreads itself through email links posing as Microsoft Office files or compressed folders, and Globe, which has ‘fun’ making references to a series of movies called Purge.
David Emm, a senior security researcher at Kaspersky Lab, says: “Ransomware has been around for about ten years, but we really saw it start to ramp up about three years ago. Until then, they [hackers] were just throwing it out and seeing what happened.
“But then they found that there was money to be made, and we started seeing more diversification, more sophistication, and more targeting. They realised that there was more money to be made from organisations than individuals, and started going after them.”
In healthcare, ransomware initially looked like a US problem, as a wave of American hospitals were hit through late 2015 and early 2016. The highest profile was probably Hollywood Presbyterian Hospital in Los Angeles.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom,” said Allen Stefanek, president and chief executive, in a public letter. “In the best interest of restoring normal operations, we did this.”
From the US to the UK
The NHS looked to have less of a problem until December last year, when Northern Lincolnshire and Goole NHS Foundation Trust had to take its systems offline following a Globe2 ransomware attack.
The trust cancelled most of its operations and appointments for four days and put large, red notices on its website urging people to only visit its A&E departments “if you absolutely need to.” Some 2,800 appointments were lost because of the attack, which is still subject to a police investigation.
Then, in January this year, Barts Health NHS Trust, the largest in the country, told its staff that it was facing a “ransomware virus” attack that had forced it to take “a number of drives offline as a precautionary measure”.
In the event, the trust got off relatively lightly. Its main electronic patient record and digital imaging systems were not affected; although its pathology system was down for two days, forcing staff to process requests manually.
In a statement, the trust said: “This particular virus has never been seen before and, while it had the potential to do significant damage to our computer network files, our measures to contain it were successful. No patient data was affected [and] there was no unauthorised access to medical records.”
Emm is not convinced that the NHS is being attacked more than other organisations. Businesses top Kaspersky Lab’s list of targets; health just makes headlines because it’s so sensitive.
Even so, there’s evidence that Northern Lincolnshire and Goole and Barts Health are just the visible tips of a real problem. A number of companies have carried out surveys to try and gauge trust exposure to cyber security issues, using the Freedom of Information Act.
Some trusts have refused to answer, on the basis that disclosing attacks or measures to prevent them would expose them to further risk. But with this caveat, the surveys have tended to suggest that around a third of NHS organisations have been subject to a ransomware attack.
The most recent, conducted by RES, asked trusts and boards across England, Scotland and Wales if they had faced an attack in the past18 months. Some 260 responded, with 18 not answering and 87 saying they had – 34% of the total.
The government is certainly taking the problem seriously. Last year, it updated its national cyber security policy and bolstered support for its Office of Cyber Security and Information Assurance, which advises government and the public sector on cyber security issues.
In line with this, NHS Digital, the body responsible for national IT infrastructure, information policies and security, has set up its own CareCERT unit to work with the NHS.
Despite this, the defence against ransomware is, in principle, as simple as the idea behind ransomware itself. The basic advice is to have good perimeter defences, so malware can’t reach a network’s computers and devices.
Then, to make sure users are aware of the dangers of clicking on links, to reduce the risk posed by anything that makes it past the firewall and anti-virus software.
Also, to make sure there are good back-ups in place, so systems can be restored to a non-infected state if an attack is successful. Emm says: “With ransomware specifically, back-up is key. If you can restore then you have no reason to pay.”
From what is known of the recent ransomware attacks on NHS trusts, this is solid advice. Northern Lincolnshire and Goole blamed a “misconfigured firewall” for most of its problems in a report to its board in January.
Bart’s Health said it had updated its anti-virus software “to prevent a recurrence” of its attack. The vast majority of the FOI inquiries returned to company surveys say trusts were able to restore any affected systems from back-up with minimal disruption.
The problem is that there are any number of complications within the basic strands of advice. The NHS runs a lot of old software, some of which may be very vulnerable unless it is very well patched; and keeping on top of patching can be a challenge.
Trusts have also imposed fewer controls on the users of PCs and laptops than they might have done, and been more generous with letting them connect to their networks than they might have been.
Emm says they are not alone in this; a lot of businesses do the same thing. However, if a user is left with ‘administrator’ rights to a desktop machine, then any malware that infects it will get the same rights; and if that desktop is connected to a network, the whole network is at risk.
The answer, Emm says, is to sit down and come up with a solid strategy. “You need to get to your head around what is out there and what it is running, because without that you cannot patch it, or isolate it if necessary,” he says.
Remember the userAllaway goes further, arguing there needs to be a focus on the user and on making sure they can do the right thing – and not the wrong one. “Lots of trusts have focused on getting good protection in place, but they have not thought as much about their people,” he says.
“They tend to assume that people will look out for things that should not be there, but of course they don’t. In the NHS, in particular, if somebody sees a file or a compressed image they will tend to assume it is about a patient and open it. So the key is to make sure they can do their jobs without doing that.”
RES specialises in secure digital workspaces, that put context controls on the information that people can access and what they can do with it. Interestingly, when it comes to combatting ransomware, Allaway says this includes where they can store it.
“Backup is typically seen as another solution to this problem, but people do not always back things up where they should,” he explains. “They often send files to other devices, or store them on the desktop. So a trust might think it has good back-up; only to find that a lot of information has been stored locally.”
Think like a hackerTackling the ransomware threat takes time, energy and investment; all of which the NHS would surely rather spend on other things. Unfortunately, that no longer looks like an option.
“If an organisation is not able to defend itself, then it is going to be the target of an attack,” says Emm. “You need to sit down and say: ‘what have we got, and how could it be attacked’. And then you need a really good plan for how you are going to defend it.”