Ransomware in Healthcare

By Grayde Bowen | 13/08/2024 | Share:

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported on data leak sites.  The second highest count behind manufacturing (653 attacks).  This is a 126% percentage change over the previous year’s data. The 5th largest increase from a pool of 31 categories.  Pharmaceutical is listed as a separate category in the trend data with a 40% increase.

Ransomware is often provided with ‘software as a service model’.  EvilProxy is used in more than a million attacks every month.   Provision is backed up by ‘How To’ guides and a Telegram customer support service.  With ease of access to potential high incomes criminals are willing to pay the piper and run these services; either directly targeting victims or through blanket attacks.

Systems relying on private healthcare models such as in the USA might seem an obvious target.  Attackers believe that these have the funds to pay large ransom demands.  Any data stolen has additional value as it might not only include medical but also financial records.  It also could be sold on to impersonate the victims for health care claim fraud or even to directly access their bank accounts.  In May 2024 USA medical software provider Change Healthcare paid $22Million in Bitcoin to hackers BlackCat but still did not recover access to their data.

Criminals have not regarded social healthcare providers such as the NHS as an exception to their attacks. The NHS in London was forced to cancel operations, appointments and to ask for blood donations in June 2024 following a ransomware attack on Synnovis, a pathology services partnership between two London-based hospital Trusts and pathology testing software SYNLAB.  Here the vulnerability was in an outside provider over which the NHS only has indirect control.  As a commercial entity Synnovis might be expected to have the freedom to pay ransom demands that a government body would not.  Any effect on patient services being ‘collateral damage’.

In the case of the Synnovis attack the alleged culprits, Qilin, denied any responsibility for patient suffering and blamed the UK government for causing a lack of blood supplies to Russian citizens involved in the Ukraine conflict.  Their $50 million ransom demand (apparently not paid) probably also had something to do with the attack motive.

In addition to the demands for ransom and loss of data victims can be subject to fines for poor security.  In August 2024 the ICO imposed a provisional fine of £6 million on Advanced Computer Software Group Ltd who supplied services to the NHS and other healthcare providers.  The data breached  included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 care receivers.

In a 2022 report the BMA concluded that more than 13.5 million hours of doctors’ time is being lost each year in England due to delays resulting from ‘inadequate or malfunctioning IT systems and equipment’.  One doctor working in secondary care reported having to log on to four different systems to deal with one patient. Another said there were ‘too many logins and passwords’ and different systems ‘not communicating with another’.  The NHS is a vast organisation and does not have limitless funds.  Having the latest software is a core barrier against malware but older hardware may not support the latest versions.  The NHS also has to do what it can to allow data to be shared between systems; some provided by external suppliers or partners.  This is not always possible and where it can be achieved it will influence coordinating updates between systems.  IoT based medical devices such as those used for patient monitoring or drug dispensing often use software that is more vulnerable than desktop solutions but may provide access for criminals to other systems containing sensitive data.

The NHS recognises the need for data security having set up the Data Security and Protection Toolkit and encouraging bodies within and connected to the NHS to achieve Cyber Essentials Plus.  Both of these should identify good data security practice and require evidence that such practice has been put into place.  Recent NHS data breach examples illustrate that security audits such as these will identify best practice but cannot be seen as a solution on their own.  Appropriate security training for all staff is a crucial factor in ensuring that risks from ransomware are minimised.

More from Security

22/04/2025

UK Cyber Security and Resilience Bill Policy Statement

The UK government chose 1st April 2025 to release details of its upcoming Cyber Security and Resilience Bill. The Bill is due to introduced …

Read post

25/03/2025

UK Government Ransomware Payment Proposals

A UK government open consultation is running from 14th January to 8th April 2025. Its aim is to gather possible reactions to legislation preventing …

Read post

18/03/2025

Windows 10 Support To End

Microsoft has announced that support for Windows 10 will end on 14th October 2025. Microsoft want their users to move to their latest Operating …

Read post

03/02/2025

Smart Ring Security

Smart Rings are following up on Smart Watches as an attractive consumer wearable. Costs and services offered vary widely but typically include health and …

Read post

Categories

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Popular Blogs

    Bitcoin – The Hidden Costs

    Amazon S3 Security (Simple Storage Service)

    Google Search Vulnerabilities

    Lessons in handling data disasters

    Energy Costs Of Data Processing
    Categories

    We use cookies on this website, by continuing to browse the site you are agreeing to our use of cookies. Find out more.