The Human Cost of Ransomware Cyber Attacks in Healthcare

371 Views

In recent years, the NHS has faced numerous challenges, with the likes of staff shortages, the impact of an ageing population, and an ever-increasing backlog of patients all playing a part in straining its resources. However, with the government announcing in the recent Autumn Budget that the NHS would receive an extra £1.57bn for new surgical hubs, scanners and radiotherapy machines, there is some positive news. Although, this is somewhat overshadowed by the prospect of cyber threats, specifically ransomware, which continues to add a layer of vulnerability to the NHS, and jeopardises its ability to deliver timely and effective care.

The issue of ransomware attacks was addressed in 2020 by Lord Darzi, who highlighted the need for stronger cyber security measures in a report stating that, despite the growing reliance on digital infrastructure, NHS organisations allocate only 1-2% of their running costs to IT services, far below the 4-10% spent in other sectors. This underinvestment in cyber security seems to have continued, and when mixed with the long-standing issues facing the NHS, these attacks could have disastrous consequences for patient care. With a survey of 100 cyber security managers in the UK health sector finding that 81% of healthcare organisations in the UK had been hit by ransomware in the previous year, it’s clear the need for an effective cyber security strategy has never been more important.

To address this, Mark Grindey, CEO of Zeus Cloud, discusses the benefits of integrating cyber security more deeply into the core culture of the NHS, ensuring that the UK is better equipped to deal with cyber attacks and an understanding of how to mitigate them.

What did Lord Darzi have to say?

The 2020 white paper written by researchers from Imperial College London’s Institute of Global Health Innovation, led by Lord Darzi, stated that fresh investment is “urgently needed” to defend against threats that could put patient safety at risk. Fast forward to 2024, and there have been considerable strides made. However, there is still much work to be done. The NHS blocks 21 million items of malicious activity every month,  emphasising just how crucial good cyber security is for the NHS. Yet, attacks do slip through the net, devastatingly affecting patients – WannaCry and Synnovis being the headliners…

WannaCry – one of the most notorious ransomware attacks

One of the most notorious ransomware attacks on the NHS was the WannaCrypt virus (also known as WannaCry) that struck a number of computer systems in May 2017. This attack encrypted files on infected computers, rendering them inaccessible to users, and demanded a ransom payment in exchange for decryption keys. The attack not only affected individual users but also caused significant disruptions in the public sector, as it affected at least 34% of NHS trusts in the UK.

The Department of Health and Social Care estimated that the WannaCry attack cost the NHS a total of £92 million, significant diversion of funds that could’ve been used in other crucial areas of healthcare, such as patient care, medical research, and facility improvements. The attack also caused widespread disruption, leading to the cancellation of thousands of appointments and procedures. This not only affected patient care and delayed treatments but also contributed to a backlog that took months to clear, straining the staff and impacting the NHS services.

Synnovis – ransomware that exposed confidential patient data

The ransomware attack on Synnovis, who provides vital pathology services, including blood tests and transfusions, in 2024 is one of the more recent devastating attacks on the NHS. It affected seven hospitals, managed by two NHS trusts (Guy’s and St Thomas’ NHS Foundation Trust, and King’s College Hospitals NHS Trust).

The Qilin hacking group (the attackers) followed through on their threat to release the stolen data they’d obtained to the public after Synnovis reportedly refused to pay a £40 million ransom to them. As a result, a host of confidential data was exposed, leaving the NHS working to try and minimise the damage and protect the privacy of as many affected patients as possible. The patient data that was publicised included patient names and their dates of birth, as well as their NHS number and descriptions of blood tests that have been performed; as reported by the BBC. The impact of the attack has meant that 800+ operations were postponed1,294 hospital outpatient appointments were postponed in just a week and a host of cancer treatments were forced to be rescheduled.

Solving this problem…

There is no quick fix when it comes to defending against the Ransomware attacks on the NHS. And, unfortunately, unlike other public services, healthcare can’t afford service downtimes due to the life saving work clinicians and nurses carry out every minute of the day. However, it’s clear that a new approach to IT security that acknowledges the disruptions caused by these attacks is essential.

When looking to solve the issue, It would be wise to start with the procurement process. In its current state, healthcare is burdened with outdated IT and security infrastructure. These one size fits all solutions are expensive and often aren’t specifically tailored to the NHS’s needs. This is because the current model favours a small group of vendors who provide generic solutions at inflated prices. Look at it this way, when the majority of trusts are using the same public cloud hyperscaler, which has adopted identical security postures, it is inevitable that a breach at one organisation will be rapidly exploited and repeated in others.  Therefore, it’s fair to say that the NHS is paying vast amounts of money for systems that still lack the proper protections. To combat this, there must be a shift towards security-focused, healthcare-specific procurement. This would enable trusts to adopt tailored solutions that prioritise patient data.

Another solution is to train staff to have the expertise to properly handle cyber security in-house. The reason for this is that if you are completely reliant on a third party for help, you are in trouble if they don’t react quickly enough. For example, relying on third-party providers can create delays in responding to attacks, exacerbating issues and driving up recovery costs. By developing in-house security teams, trusts will have far faster response times and therefore better responses to threats. By having ‘in-house’ teams trained appropriately, trusts can carry out vulnerability assessments themselves, avoiding extortionate costs and ensuring that systems are secure in the long run.

Finally, it is important to move away from the herd mentality. Would, for example, an on-premise private cloud solution be a better option for the NHS than a public cloud hyperscale? Local authorities face the same challenges as the NHS, and it is telling that the handful of public sector local authorities with a good security track record have not adopted the same big vendor, public cloud approach; but have applied rigour to the procurement process to achieve a more secure and cost-effective approach. The NHS could and should learn from these organisations.

And finally…

Ransomware attacks in healthcare environments can lock clinicians out of workstations, disrupt access to services, prevent access to patient records, disable medical devices and prevent delivery of urgent care. And, with so many attacks occurring in the healthcare sector, the impact this has on patient outcomes could be disastrous, and even lead to death in extreme cases.

So, to help safeguard against cyber security attacks, trusts must ensure their cyber security practices are both effective and up-to-date. It is unacceptable to let these attacks jeopardise the confidentiality of sensitive data and disrupt essential public services, impacting the well-being of the people who rely on them. Therefore, action must be taken to address these issues as soon as possible by investing in advanced new security technologies tailored to the NHS, regular staff training, and incident response strategies. By following the steps above, the NHS can better protect its systems and data, helping to maintain public trust and operational integrity.