back to article Ransomware brutes smacked 1 in 3 NHS trusts last year

A third (30 per cent) of NHS trusts have been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months. According to results of a Freedom of Information-based study, none of the trusts reported paying a ransom or informed law enforcement. All preferred to deal with …

  1. Locky

    "...after being infected by Locky"

    Sorry, couldn't help myself

  2. James Ashton
    Devil

    Evil: yes; Cretins: doubtful

    It doesn't seem likely that these criminals are cretins; I doubt they'd spend their time with ransomware if it wasn't turning a profit. Some people must be paying up. Even it none of the NHS trusts are paying up, this just means that the evil ones could improve their targeting, assuming they have any, but it doesn't make them cretins.

  3. Doctor Syntax Silver badge

    "Imperial College Healthcare in London – suffering 19 attacks in just 12 months."

    I always liked the saying that experience is a dear teacher but there are those who will learn by no other. If "suffering" means successful attacks it looks as if there are some who won't even learn by experience.

    1. Anonymous Coward
      Anonymous Coward

      They didn't pay, so it wasn't a successful attack.

      1. Anonymous Coward
        Anonymous Coward

        All documents on servers, servers snapshots up every few hours, with overnight off-sites.

        Infected PC? Remove HD, plug a new one in and re-image. Done.

        1. StomperUK

          That sound reasonable - unless you've got a 1,000+ endpoints to do that on.

          1. The other JJ

            ...and you now have to tell 1,000+ staff that you're rolling back half their day's work - because other than attempting to open every single file you've no way to tell which have been encrypted. That'll take an hour or so and by 3:30 you'll be able to begin your day's work again.

  4. Korev Silver badge

    HR Issue

    Isn't it time that the hospitals regard allowing this kind of behaviour by staff as a disciplinary and not an IT issue? If $HOSPITAL_EMPLOYEE did something like leave a bag of leaking clinical waste out in a corridor or gossip about patients' illnesses then HR would get involved; I don't see why a negligent act* on a computer should be any different.

    *I'm assuming the staff member is opening dodgy attachments and not some kind of "drive by" attack

    1. JamesPond

      Re: HR Issue

      The majority of NHS staff are not IT literate. I've worked at NHS Trusts where even 20 something consultants, who you might think would be tech-savvy using social media etc. didn't know how to use a tablet.

      A lot of the problem is government cuts and decentralisation of IT functions, making each Trust pay for their own IT and security systems so as to show central DoH reduction in costs (e.g. NHSmail which used to be centrally funded but is no longer).

      I would ask why the Trust's email systems are allowing the phishing attacks through rather than blaming the users, who are on the most part non-techies trying to care for patients, now wondering whether an email is a phishing attack or not.

      1. Anonymous Coward
        Anonymous Coward

        Re: HR Issue

        "who you might think would be tech-savvy using social media etc. didn't know how to use a tablet."

        Oh the unmitigated horror of these unspeakable cretins !!

        (So that's what being tech-savvy equates to now) Still they seems to have managed to get to be a consultant whilst still in their 20s. Very little chance of that BTW

      2. Doctor Syntax Silver badge

        Re: HR Issue

        "The majority of NHS staff are not IT literate."

        Unfortunately this is no longer a sustainable approach.

        The previous comment mentioned that all staff will be be aware that they shouldn't leave leaking clinical wast lying about. That doesn't require them to have microbiological knowledge, it just requires them to know what are the appropriate procedures for handling it. The same applies to IT procedures.

        1. Adam 52 Silver badge

          Re: HR Issue

          I doubt it's even true. Way back in the 1980s when I worked for the NHS you had to do mandatory confidentiality training.

      3. Trigonoceps occipitalis

        Re: HR Issue

        "The majority of NHS staff are not IT literate."

        That's a bit like saying "Its OK, the driver who mowed down the bus queue of nuns was only a chit of a girl, she didn't know any better."

        IT is a tool of the job, if the staff aren't up to using it warn them, train them, then sack them if necessary. Same as a surgeon and a scalpel.

        1. Cuddles

          Re: HR Issue

          "IT is a tool of the job, if the staff aren't up to using it warn them, train them, then sack them if necessary. Same as a surgeon and a scalpel."

          Exactly. It's no longer the 1980s; computers are a fundamental part of most people's (in the West at least, and increasingly so worldwide) lives. It's no longer acceptable to just joke about how hard it is to program a VCR, being unable to use computers means being unable to communicate effectively in the modern world, unable to carry out even the most basic of office jobs, and so on. And, as articles like this show, it's not simply a matter of mildly inconveniencing yourself, the inability to use a computer can, and frequently does, lead to severe consequences. If you screw up with your personal computers, it can lead to all kinds of financial loss and identity theft. If you screw up your employer's computers it can be quite literally a matter of life and death. A doctor who screws up and kills people is fired and possibly jailed. A driver who keeps running people over will be fired and possibly jailed. An office worker who screws up their computer and shuts down a hospital for half a day... giggles about how they don't understand computers and need their teenage son to set their phone for them.

      4. Anonymous Coward
        Anonymous Coward

        Re: HR Issue

        The only way to block all phishing attacks is to block all incoming email.

        Over-zealous spam filters can block legitimate emails which, in the NHS context, could have life & death consequences.

        So there's two competing criteria, both of which cannot be complied with at the same time:

        1: Don't block any legitimate emails

        2: Block all spam

    2. Anonymous Coward
      Stop

      Re: HR Issue

      Or the flip side, give the IT department a disciplinary for not securing the systems adequately to prevent this happening.

      Where was the threat protection software / firewalls to prevent them going to dodgy websites?

      Where are the policies preventing the files / links getting in?

      Where are the policies to prevent them running these files?

      Why are the policies, to monitor out bound traffic and lock the network port if suspicious activity is detected?

      It's a collective effort, which requires everyone to do their jobs. After all, you drive a car everyday without doing even the most basic checks.

      1. Anonymous Coward
        Anonymous Coward

        Re: HR Issue

        from my own experience within the NHS it's almost always personal e-mail or infected file brought in via USB. Many places now have control over USB drives but that doesn't stop them being used at home and brought in and if there's weak AV/malware protection on endpoints (hello McAfee) then it typically doesn't catch it in time, if at all.

      2. John 104

        Re: HR Issue

        @ Lost all faith

        The answer to all of those questions is this: $$$

        These things take resources and money. In our environment (healthcare) we are understaffed and over loaded with projects. Sustained engineering is not a priority, and neither is updating our equipment or software.

  5. Pen-y-gors

    NHS network security?

    So the vastly large and complicated NHS network is vulnerable, not really a surprise.

    Now, what do the following NHS arms have in common: Ambulance trusts and the NHS Business Services people? Yes, they can all access data under the new IP Act.

    Our data is safe in their hands.

    1. Halfmad

      Re: NHS network security?

      The vast network is basically thousands of silos with decent firewalls etc between them, it's not as if it's a LAN party were they're all trying to play counterstrike together. From my experience they all default to lock down and open access when given a countersigned form to do so - but I can only speak for my own experiences, I've no doubt there's plenty of plonkers in charge of IT kit out there.

      Still it's not JANET..

  6. Dabooka

    Genuine question

    When I see Freedom of Information requests like this, what's the argument for those that don't respond? Is it just by 'the time of going to press' only x from y replied, or is it down to interpretation of some rule or other?

    My place is terrified and respond to everything, even when I think we could argue based on commercial sensitivity

  7. adam payne

    "A third (30 per cent) of NHS trusts have been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months."

    19 times in a year.

    Surely people should be learning after the first few times.

    What I would like to know is, was the healthcare of any patients compromised because of the ransomware?

    1. JamesPond

      was the healthcare of any patients compromised because of the ransomware?

      Yes, at North Lincolnshire & Goole NHS Trust, operations were cancelled for 4 days in October 2016 and blamed on ransomware.

  8. Anonymous Coward
    Anonymous Coward

    Maybe somebody should tell the NHS their are other platforms other than Windows, ones that don't get targeted as much , and some like iOS on an iPad that sandbox things so the silly endusers cannot do as much damage when they do stupid things like open infected zip attachments. Getting the apps they use rewritten for say iOS might be expensive, but long term it must be better and at least they will get the apps updated and not be dependent on IE6. Maybe find the cash by sacking one of the many IT consultants on stupid wages to do nothing but makes more mess. Then they also won't be stuck in this expensive gravy train trap of upgrading Windows at great cost.

    1. GruntyMcPugh Silver badge

      ... riiiiight,... you've never worked in a large scale environment supporting people who have a job to do that isn't IT, have you? I also don't think you have much of an idea how large the NHS is, or that tablets aren't particularly productive tools for businesses, which for the most part still rely on desktops, and they rely on devolved security and administration models, which means Active Directory. Apple devices are nice and all, but they need separate management, like an MDM solution, which increases costs.

  9. 0laf

    Targetted?

    They're not the target, the public sector isn't likely to pay up so I doubt these particular cretins are targeting the UK public sector at all. They're just collateral.

    It just so happens that there is no training budget for anti-phishing until after it's happened a few times.

    1. Anonymous Coward
      Anonymous Coward

      Re: Targetted?

      Ransomware no - but Dridex etc? Yes. And don't forget the instant these variants start UPLOADING information after encryption the ICO will be hammered with trusts/CCGs/boards putting their hands up as they're one of the few public or private sectors which reliably reports itself to the ICO for knuckle slapping.

      1. Anonymous Coward
        Anonymous Coward

        Re: Targetted?

        "they're one of the few public or private sectors which reliably reports itself to the ICO for knuckle".

        They might be more likely to confess but I can assure you they'll do everything they can not to.

  10. Anonymous Coward
    IT Angle

    Ransomware encrypts data on compromised devices before demanding a ransom to regain access

    That takes the prize for the bleeding obvious, now do you have any technical details?

  11. Mark Dempster

    It's not that easy...

    At my own workplace I've had to recover from 2 ransomware attacks over the last few months. Both arrived as an email apparently from a trusted source that the users dealt with regularly, so had no reason to be suspicious of. I scanned the attachment later with 3 different AV packages, and none found a problem.

    Very glad that my backups were working well at the time...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like