The NHS has seen a staggering drop in the number of successful ransomware attacks in the last two years, according to data revealed under transparency laws.
Since 2014, at least 65 NHS trusts have been inflicted with ransomware, with 209 incidents reported in total. Freedom of Information requests were submitted to all UK trusts by Comparitech.com, with 80 percent of hospitals providing the information requested, and about a fifth refusing to respond or not responding at all.
Unsurprisingly, 2017 was the biggest year for ransomware in the last five years, largely as a result of the WannaCry attacks in May of that year. Nearly half (48 per cent) of the incidents reported occurred in 2017, followed by 21 per cent in 2016 and 21 per cent in 2015. Only 3 per cent of all reported attacks were made in 2014, 2018 and 2019 combined, suggesting that trusts have learnt from the WannaCry catastrophe and are better prepared to ensure they are not as vulnerable to attacks.
In 2018, the NHS announced funding for the NHS to better secure local infrastructure, reduce vulnerabilities, increase cyber resilience and update IT systems to Windows 10. Cyber awareness training as a mandatory exercise was also recommended to trusts.
The impact of infection
The report claimed that none of the affected trusts paid any ransom; although not all trusts had responded to the queries, this has generally been the case, with a National Audit Office report in 2017 stating that there was no evidence of an NHS organisation paying the ransom. NHS Digital head of security Dan Taylor said back in 2017 that “health has never paid a ransom”.
Despite this, there are other ways that ransomware can make an impact. Comparitech estimates that 2943 hours (nearly 206 days) of downtime has been caused by ransomware, and that this is likely to be higher – approximately 24 days of downtime – if including further trusts who have been successfully attacked but did not respond to the FOI requests. The average attack caused up to 25 hours of downtime, it found.
The Department of Health and Social Care suggested that the WannaCry attack alone would have cost the NHS £19m in lost output, with a further £500,000 for IT costs and £72m to restore systems and data affected in the attack, putting the overall cost of the attack at £92m.
Why has there been such a huge drop-off?
According to Rik Turner, Principal Analyst at Ovum, cyber criminals focus on easy targets and methodologies, and at the time of WannaCry, ransomware ticked both of those boxes. He believes that the defenders – in this case the NHS – have turned the tables on criminals attempting these attacks.
“I would be interested to know whether the trusts are doing more rapid patching and whether they have all upgraded to Windows 10, as one of the challenges with WannaCry was that so many systems were unpatched. This was because IT often wanted to patch systems but those in operations said that it wouldn’t be possible to take down mission-critical systems in order to patch them while people are on an operating table,” he said.
“If they have then this is good governance and hygiene and it means WannaCry gave those in IT and security teams within the NHS a wake-up call. It perhaps gave them a louder voice to tell others that it doesn’t matter if it’s a mission critical system, it is a priority to patch or upgrade to more recent systems,” he said.
As well as the fact that the NHS is better prepared for the attacks, there is a case that criminals may prefer to go for private hospitals, according to Turner.
“In private healthcare, there’s a greater incentive to pay back ransoms because without the data they can’t fully transact with their customers,” he explained.
But Turner warned that while ransomware may not be the top choice for criminals, it’s likely that there will be further cyber threats on NHS trusts in the years to come. However, he suggested that if the NHS takes the same approach in patching, upgrading and investing in security, it will be better prepared than it was with WannaCry.