Seven National Health Service (NHS) trusts serving over two million people in the UK reportedly failed to spend a single penny on cybersecurity protections last year – a discovery that could leave sensitive medical information vulnerable to exploitation by cybercriminals.
NHS trusts are set up to offer hospital services to geographic areas and can often be responsible for thousands of patients at a time. According to official statistics, the NHS deals with one million patients every 36 hours. Now, an investigation by Sky News has claimed the data of these users has been left at risk to "relatively unskilled" hackers.
Working alongside enterprise-facing security and penetration testing firm Hacker House, the probe reportedly found misconfigured email servers and outdated software and security certificates. Researchers also uncovered NHS trusts' emails and passwords.
Using Freedom of Information requests, Sky News said it received responses from 97 NHS trusts in total. It said the annual spend for a single trust was £23,040 and that 45 trusts were "unable to specify" their cybersecurity budgets. Seven, it said, spent nothing.
In terms of breaches of sensitive data, the investigation found they had spiked from 3,133 in 2014 to 4,177 last year. Cybersecurity incidents have also been blamed for rocketing statistics – from eight in 2014 to 60 last year, Sky News reported.
Jennifer Arcuri, security expert with Hacker House, said: "I would have to say that the security across the board was weak for many factors. Out of date SSLs, out of date software, it was very clear that you could bypass any number of these trusts just by doing the right recon online."
Indeed, only last week, roughly 1,000 NHS patients were impacted by widespread cancellations at three UK hospitals after a computer virus infected critical computer systems. Ultimately, staff were forced to resort to pen-and-paper filing system and declare a "major incident".
Across the water, a slew of hospitals in the US were recently attacked by a notorious form of ransomware called Locky that – true to its name – locked down critical systems and demanded a payment from the hospital in order to hand back access.
In February, one healthcare facility paid hackers $17,000 (£12,000) in Bitcoin after being targeted. This payment, according to a number of security experts contacted by IBTimes UK at the time, only set a precedent for future attacks to take place.
"In today's connected world, not only do we need to worry about sensitive health data being stolen, there is also the possibility that hacks could shut down vital equipment and systems," said John Benjamin, a technology specialist and partner at London-based law firm DWF.
"We are seeing more and more types of medical devices join the health Internet of Things (IoT) which may be susceptible to hacks and provide cybercriminals with easy access to secure networks."
Additionally, cybersecurity firm NCC Group questioned 60 separate NHS trusts earlier this year and later revealed that nearly 50% of them had encountered ransomware in 2015. This, like many threats, often spreads via email phishing and can infect entire networks with a single click.
As previously reported, statistics released by Big Brother Watch claim that the NHS routinely faces up to 2,000 data breaches a year. Between 2011 and 2014, based on Freedom of Information requests, the healthcare system faced 124 separate incidents "related to IT systems".