At least 25 National Health Service hospitals in England have been hit by ransomware, malware that locks down computers and networks until the victim pays up a ransom in bitcoin, according to the BBC.
When a hospital network is hit by ransomware, patient data becomes encrypted and inaccessible. If the ransom isn’t paid in time, the virus automatically deletes the files, which can cripple hospitals and be devastating for patients.
Ransomware attacks on hospitals are nothing new. In fact, an NHS hospital system was hit by ransomware just six months ago. Ransomware attacks have proved repeatedly effective against hospitals, which has led to something of an epidemic of the practice. In February 2016, a hospital in LA paid $17,000 to unlock its files. In April 2016, the US and Canada governments issued a warning noting that ransomware attacks had hit hospitals in the US, Germany, and New Zealand, and advised on how to protect networks against them. Reports of similar attacks on hospitals and healthcare networks date back to at least 2014.
Ransomware is typically spread by sending a seemingly legitimate email to an employee of the organization being attacked. That employee clicks a malicious attachment inside that email, and boom, they’ve been hit by ransomware. From there, the ransomware will spread, infecting other computers connected to the same network. Hospitals can struggle to provide even basic care like prescription refills when they can’t access patient data. When NHS Lincolnshire and Goole was attacked six months ago, it had to divert patients waiting for surgeries and organ transplants to other NHS hospitals.
Ransomware attacks have proved repeatedly effective against hospitals
Ransomware is a popular type of attack in general, but any ransomware target that puts people’s health at risk, increasing the urgency of payment, seem to be attractive for hackers. Security experts have warned about ransomware attacks on medical devices and the FBI has cautioned about hackers targeting emergency services.
In other words, NHS absolutely should have seen this coming. At least a dozen hospitals in the NHS system have been targeted by ransomware attacks dating back to 2012, Motherboard reported. In those cases, the hospitals did not pay ransoms because they were able to recover their data from internal backups.
That wasn’t the case this time. As of this writing, the ransomware that hit the NHS is “spreading like hell” across 11 countries, security researchers said. At least one NHS hospital is reportedly unable to accept new patients as result of the hack. As a result, hospitals are paying up. The blockchain, which records of all bitcoin transactions, shows that the hospital hackers received two payments of about $270 in bitcoins this morning.
Hospitals are prime targets for hackers spreading ransomware because in many cases, they have no choice but to pay up as fast as possible or risk the health or lives of patients. But paying ransom to hackers is not a sustainable strategy. If hospitals simply pay up, more hackers will be encouraged to hit them up for more money, more frequently.
Ransomware isn’t some unheard of, deeply complex problem that the NHS isn’t equipped to handle. So why hasn’t the NHS secured its networks? The NHS didn’t respond to our question about why its network was insecure, but said in a statement the the issue was ongoing and that “across the NHS we have tried and tested contingency plans to ensure we are able to keep the NHS open for business.”
To secure against ransomware attacks, hospitals should follow the same basic guidelines that are used to secure against any type of cyberattack. To start: Back up critical data regularly and often. Isolate backups from the network so they cannot be affected by ransomware. Take steps to prevent malicious software and unapproved programs from running on machines on the network. Keep all systems up to date with new software releases and patches and use anti-virus software. Restrict permissions so users only have as much access to the system as they need to do their jobs. Train staff on how to avoid being hacked.
NHS put patients at risk by failing to mandate a stricter computer security policy for the hospitals it operates. Hospitals need to prepare for ransomware attacks, or sooner or later, someone will die.