Is the NHS ripe for a ransomware attack?

How safe is the NHS from ransomware?
How safe is the NHS from ransomware?

The BBC has reported that three more US hospitals have become victims of ransomware. Systems at Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, California were apparently targeted.

All are up and running again following 'significant disruption' although no ransoms are believed to have been paid.

With ransomware being the new malware du jour, and healthcare continuing to be a prime target for criminals, none of this should come as much of a surprise.

Apart, perhaps, from reports that an earlier attack on the Hollywood Presbyterian Medical Centre in Los Angeles ended with payment of a ransom in excess of $10,000.

With multiple US-based hospitals suffering disruption at the hands of ransomware infections, and the potential for this to impact upon patient care and wellbeing, we cannot but wonder if the NHS will be next?

That criminals will target hospitals in pursuit of a profit, albeit in the case of ransomware often a relatively small one, is not in itself a shock to anyone. So are NHS hospitals at risk and why haven't we seen disruption on the same scale as in the US healthcare system yet?

Greg Leah, Principal Threat Researcher at Cloudmark, told SCMagazineUK.com that while there is currently very little visibility into UK healthcare targeting "Locky Ransomware appears to be indiscriminate and not specifically targeted at any person or organization." As such NHS hospitals are just as much at risk as any organisation.

In mitigation, as the attack reports would appear to confirm, Leah tells us that the Cloudmark Global Threat Network "observed 85% more emails targeted at organizations in the US than the UK" during one recent malware spam campaign.

So relatively low targeting rates could be playing a part in the lack of NHS hospitals falling victim to ransomware. Luke Jennings, Head of R&D at Countercept by MWR InfoSecurity, adds that the fact some NHS systems are "centralised and bespoke may make it less likely that key files are affected by generic ransomware."

Jérôme Segura, Senior Security Researcher at Malwarebytes, also reminded SC that "generally speaking hospitals do not have to report incidents unless there has been a breach of personally identifiable information" so we shouldn't assume that the only incidents that have occurred have been the ones we have heard of in the media.

Indeed, it would seem rather unlikely that UK healthcare has escaped untouched by the hand of ransomware given both the prevalence of the threat and the nature of End User Computing in the NHS.

"With NHS finances in crisis, departments typically turn to End User Computing (Excel/Word/Access) to meet their IT needs" warns Jim Culverwell, VP Americas, ClusterSeven who continues "with 1.6 million employees, the End User Computing footprint at the NHS is colossal and the fact that most Ransomware is introduced into the organisation via end user machines just exacerbates the problem."

Aside from End User Computing, there are the end users themselves to consider. "Phishing is the most common attack vector for delivering this type of attack", Rohyt Belani, CEO and co-founder of PhishMe, told SC. "Medical staff often work long hours, which can deride from their attention to detail; in short, they need help from higher-ups whenever possible so as to prevent repeats of successful ransomware attacks."

Most within the IT security industry SC spoke to is of one opinion when it comes to the NHS being a target, and equally united in not having heard of any successful ransomware attacks as of yet. Which brings us back to the question of why hasn't there been disruption on the same scale as in the US healthcare system?

Andrew Barratt, Managing Director Europe for security consultancy Coalfire, thinks it may have something to do with the Health and Social Care Information Centre (HSCIC) which provides an information governance toolkit (based on ISO27001) that can vary the security and privacy requirements depending on the type of organisations within the NHS.  

"One of the actions that the HSCIC instigated was the creation of a Computer Emergency Response Team (CERT) known as CareCERT that offers guidance and support on how to respond effectively to security threats", Barratt says, "this has the benefit of linking with other Government CERTs to share intelligence and data."

In the US, meanwhile, there is something of a commercial disincentive for not receiving electronic data, as clinical staff who treat Medicare patients receive lower reimbursements if they do not accept electronic records. "This can result in organisations taking onboard digital initiatives" Barratt reckons "without putting all the relevant and necessary security controls in place." This more distributed and commercial model makes the US an easier target for ransomware attacks.

Equally though, it does seem likely that US hospitals are not being targeted directly but rather just the poorly defended ones are getting caught in the scattergun approach of the ransomware attacks. The relatively low value ransoms being asked of large enterprises such as hospitals is proof enough that the main targets are home users and small businesses.

As Lawrence Munro, Director of EMEA and APAC at Trustwave concludes "I don't believe that hospitals are being specifically targeted in this swath of malware outbreaks. Essentially, hospitals run many of the same systems as home users and other businesses (including public services) that are susceptible to malware under the right conditions. At this stage, it seems that they are victims of opportunistic attacks, rather than a targeted onslaught against the health system."

Which doesn't mean that won't change, especially as the criminal fraternity see reports of hospitals falling victim to ransomware and understanding that there is perhaps bigger money to be made from a targeted attack. "Without being alarmist" warns Munro "I would advise UK hospitals to continue working towards defence-in-depth to be resistant to this (and other) information security threats."

As Richard Kirk, Senior Vice President, AlienVault, concludes "criminals do not care about geographic boundaries and anyone is a target for ransom ware. If hospitals in the US are being targeted then it is reasonable to assume that hospitals elsewhere, including the UK will be targeted... all it would take is for a hospital employee to accidentally open an infected document."