Cyber-criminals could be focusing their attention on smaller targets in the healthcare sector
Cyber-criminals could be focusing their attention on smaller targets in the healthcare sector

Ransomware is continuing to wreak havoc across the world, confirming its place as the number one security concern for organisations.

The concept is relatively simple; criminals send a bogus e-mail to an employee with an enclosed attachment. The employee opens it up, and this encrypts the data on the system. The victim is then asked to pay a ransom to receive the decryption key.  

Ransomware is becoming so lucrative for cyber criminals that the FBI believes it could become a $1 billion dollar industry very soon. In 2015, the FBI reported losses of US$24 million (£19 million), but in the first quarter of 2016 alone, losses of US$209 million (£171 million) were reported – an extraordinary increase in such a small space of time.

What is more worrying for organisations is that the technology being used behind these attacks is becoming more sophisticated, and criminals are targeting specific industries and businesses which are likely to suffer the most by being hit from a ransomware assault.

One of those industries is the healthcare sector. Wieland Alge, general manager at Barracuda, suggests that healthcare records, which hold sensitive and personal data are 100 times more valuable than stolen credit card details. It seems as if the criminals are aware of this; a Freedom of Information (FOI) request made by security firm SentinelOne revealed that 30 per cent of NHS Trusts have suffered from a ransomware attack in the past year.

Imperial College Healthcare NHS Trust admitted to being attacked 19 times in just 12 months, while ransomware was to blame for Northern Lincolnshire and Goole NHS Foundation Trust having to cancel 2800 appointments and operations over a four day period.

But now, criminals are looking for smaller victims including dental practices and GP surgeries.

Orlando Scott-Cowley, an independent cyber security consultant, says that just like NHS trusts, these smaller practices rely on access to data or they effectively have to shut their doors.

In the UK, SC Media UK knows of one dental practice in London that had its data held for a ransom of £20,000. The practice owner managed to retrieve the data with the help of an IT expert, and didn't end up paying the ransom but the practice had to close the door to its patients for a week. In the US, a dental practice in Minnesota had its patient data held hostage – with hackers demanding US$1,600 (£1273) in ransom to release the files, the practice owner Dr Lloyd Wallin told Fox News that he paid the fee to regain access to his server.

Vince Warrington, founder of Protective Intelligence, says that he knows of a GP practice in the West Country which suffered from a ransomware attack that managed to restore data from a back-up. He also knows of a small dental practice in the Midlands which ended up paying the ransom, as they didn't have any effective backups they could use. So why are these smaller practices being targeted?

Cowley suggests it is because they are reasonably inexperienced when it comes to dealing with these kinds of threats.

“The attackers are dealing directly with a receptionist, and many of these businesses don't have their own internal IT staff, as they probably use a reseller or contractor. Another reason is that these organisations need the data straight away – if it gets locked up they're more likely to pay a ransom because they can't afford not to have access for more than a couple of minutes,” he explains.

As ransomware has become more mature, it has become easier for criminals to get their hands on phishing emails and exploit kits. Some criminals groups have established ransomware-as-a-service models, which even non-technical criminals can easily use.

Either way, it's not an expensive type of attack to co-ordinate.

“By and large, buying e-mail addresses is dirt cheap – you can buy 5000 e-mail addresses for less than a cup of coffee,” says Intel CTO EMEA Raj Samani.

How do they get in?

Doctors and dentists could be hit as part of a wider campaign, where they are not the specific target but just one of thousands of email addresses that are sent infected e-mails.

Scott-Cowley suggests that the cyber criminals may use sales intelligence websites, where they can buy lists of GP surgeries or dental practices and their corresponding contact details. They can then hit all of them with the same e-mail, and only those that open the attachment will suffer from their data being encrypted.

Criminals are finding cleverer ways of doing this. For example, they may ask receptionists to open an attachment by claiming that it holds important medical results, or x-rays, and they will make these sound urgent because they know the receptionist is already quite flustered and busy.

What should they do if they are attacked?

For those GP surgeries and dental practices that have been hit by an attack, the first piece of advice any IT expert would suggest is to not pay the ransom.

Samani suggests aiming to first back-up any data that is still accessible. He then says victims should use ‘nomoreransomware.org'; a free website set up by several security vendors which aims to help organisations to unlock their data.

He also advises companies to beware of vendors that say they can help to restore the data: “There are a lot of sharks out there who suggest they can do a ransomware back-up and charge more than the criminals; all they do is pay off the criminal and pocket the difference,” he says.

Practices that do pay the ransom should be wary that the criminals may not necessarily unlock the data; they could ask for further instalments, or cash in the money and move on.

Of course, it is far better to be proactive than reactive. Warrington advises practices to ensure their IT is adequately protected and that the latest security patches, anti-malware and anti-virus products are installed. It is also essential to back-up all data in a secure place.

Most medical practices operate a flat network, so it's easy for ransomware to spread between systems and networks. This makes it more important to have different access allocations for different people.

“If you have a shared drive, you need to ask whether everyone needs access to everything; infecting your receptionist's computer with ransomware may not be the biggest deal, but if they have shared access to everything then it's a different story,” Samani warns.

Meanwhile, there needs to be some form of cyber awareness training to help everyone to understand why they could become a victim. This would include ensuring that staff are suspicious of everything in their inboxes, including clicking on links or downloading attachments in emails.

The aftermath

It's not just the initial days lost working or the data loss that can affect an organisation, there are numerous ramifications of being stung by a cyber-attack.

From a legal perspective, dental practices are no different to any other company; they have the duty to protect the personal data they have, perhaps even more so because the data is sensitive. Currently there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, but the Information Commissioner (ICO) believes serious breaches should be brought to the attention of her Office.

When the new General Data Protection Regulations (GDPR) come into play in 2018, all organisations will have to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

If the ICO finds out through other means that an organisation has been hit by a data breach – perhaps by a patient – the Commissioner would take into account what steps, if any, the person had taken once they became aware of the contravention, before determining a monetary penalty.

The practice or surgery in question then has brand and reputational issues to contend with, which can have a devastating effect on their businesses or careers.

Emma Wright, commercial technology partner at law firm Kemp Little believes that there will also be an increase in data subjects – in this case patients – bringing claims against organisations that are storing their data.

“If the organisation hasn't put any steps in place and practically left their window open to their network then it's far easier to be called negligent, whereas if the company follows best practice and there is a data breach then it may be more difficult for someone to bring a claim against them,” she says.

What is also important is that it doesn't matter who in the business is responsible for the criminal getting in – it will be the practice owner that will ultimately be to blame, and potentially sued.

Raising importance and awareness

A Department of Health spokesperson told SC Media UK that the organisation was determined to help all health and NHS organisations improve cyber security.

"NHS Digital is taking action by extending its computer emergency response team, CareCERT, which helps reduce vulnerability to cyber-attacks and helps take decisive action to reduce the impact of a data security incident, if it does occur,” they said.

"The National Data Guardian for Health and Care has also proposed ten new standards to improve data security across the health and care system. We will be responding to her recommendations soon to help the NHS boost its defences further,” they added.

SC also contacted the British Medical Association, the Medical Defence Union, the General Dental Council and the General Medical Council to ask whether they would be alerting doctors or dentists about the rise of cyber-attacks and in particular ransomware. However, their responses suggested that that it wasn't a huge cause for concern within the industry as yet, and that awareness still needs to be raised.

Indeed, Warrington suggests that the government should mandate its Cyber Essentials Plus scheme as a minimum requirement for any organisation holding patient data, as this would help reduce the likelihood of a ransomware attack being successful. It would also go a long way in raising awareness of the threat of ransomware and cyber-attacks overall.