Since the beginning of 2016 there has been a sharp spike in the number of extortion attempts against hospitals using ransomware – a form of malware that locks down sensitive files on a network and demands bitcoin payment for their unlocking. Yet while major cases so far have been contained to the US, security experts are now warning that location is no barrier to cybercrime and that NHS hospitals in the UK are just as vulnerable to hacking as their counterparts across the water.
The infection could come in the form of a socially-engineered invoice or a malware-ridden referral letter from a GP – the process would be quick, ruthless and potentially fatal for any patients caught in the middle.
UK hospitals 'are a prime target'
"UK hospitals are very vulnerable to ransomware attacks," Justin Harvey, chief security officer at Fidelis Cybersecurity told IBTimes UK. "Critically, they hold data that is so valuable, it would be worth paying out in a ransomware attack. Also, hospitals are part of the UK's critical infrastructure, making them a prime target for attackers who wish to cause maximum disruption to achieve their goals – whether that be for money or publicity.
"We must take note of what's happening around the world to get an indication of the next cyber threat that's likely to land on our door step," he added. "US hospital ransomware attacks and the Ukrainian power outage hack are prime examples of the methods and motivations that our hospitals and other critical infrastructure institutions need to protect against."
In the most recent incident, three separate hospitals in the US were forced to declare a state of emergency after being hit with a form of ransomware called Locky that hides in seemingly innocent email links and attachments. The victims were targeted by social engineering and, once the malware took hold, the hospitals were forced to process everything by hand on paper, severely hampering patient administration.
For the UK, security experts said the healthcare sector should take note, arguing the NHS will soon feel the effect of this rise in cybercrime. "The UK must be prepared for the inevitable – we will see a rise in ransomware attacks on our health system," asserted Stephen Love, security expert with IT firm Insight UK.
On 17 February this year, the Hollywood Presbyterian Medical Centre, located in the heart of Los Angeles, paid a significant $17,000 (£12,000) in bitcoin ransom to hackers who had infected its systems with ransomware.
This payment, security experts say, effectively set a precedent that cyber-extortion works. And indeed, since this case many more hospitals have been targeted for cash in copycat-style hacks.
In light of this, Catalin Cosoi, chief security strategist at security firm Bitdefender said that medical records are the new 'currency' among cybercriminals and that black market prices for these records on the dark web are "up to 10 times higher" than credit card numbers.
"Most attacks are financially motivated, so if an attacker gets hold of personal medical records, they can then extort the victim for a significant amount of money," he said. "Fraudsters can also use this data to create fake IDs to buy medical equipment or drugs, or they can combine the data to file false complaints with insurers." Additionally, Cosoi branded UK hospitals a "ripe target", arguing that they remain ill-prepared to protect their networks from serious cybercriminals.
And as Mark James, security specialist at ESET, an internet security company, points out, the UK sector is currently cracking under the strain of complying with strict budgets and government demands in this age of austerity. "If you then look at the immense pressure for funding that our UK healthcare is under to not only keep our hospitals running but also to staff those that work there then sadly the IT budget may not necessarily be top of the list for expenditure," he told IBTimes UK.
"The old age saying 'if it isn't broke don't fix it' sadly may be used in these cases. Outdated, insecure servers and workstations coupled with a large amount of both permanent and temporary staff at all levels makes it very hard to combat any form of targeted attack that if successful may enable the attacker to gain complete control of systems."
The NHS cybersecurity and incident response system - under the CareCERT Project - is managed in collaboration with the Cabinet Office National Cyber Security Programme (NCSP) and works closely with the UK government on threat intelligence and analysis.
'A matter of life and death'
Yet at last count, the NHS was facing over 2,000 data breaches a year, including 124 instances "relating to IT systems." And in a scathing summary in 2015, the Information Commissioners Office (ICO) slammed the NHS for its data breach policies and cited "poor procedures and insufficient training" as major concerns. While a large number of the breaches listed publicly were not a direct result of hacking, security experts now warn that if a significant cyberattack were to occur, it could be a "matter of life and death" for some patients.
"In today's connected world, not only do we need to worry about sensitive health data being stolen, there is also the possibility that hacks could shut down vital equipment and systems," said John Benjamin, a technology specialist and partner at London-based law firm DWF. "We are seeing more and more types of medical devices join the health Internet of Things (IoT) which may be susceptible to hacks and provide cybercriminals with easy access to secure networks," he warned.
It is surprising - or perhaps admirable - that the NHS has remained relatively unharmed when it comes to cybercrime to date. However, based on these warnings from the cybersecurity industry, there is a very real chance that this clean bill of health is not set to last.
IBTimes UK contacted the UK Department of Health for information regarding cybersecurity statistics, funding and financials however the department could not comment on these issues. Do you have insight into the current state of NHS cybersecurity standards? Get in touch: firstname.lastname@example.org or via Twitter: @Jason_A_Murdock