“Money for access to data” – NHS medical records are the next victims of the ransomware-type hack

The NHS are fast becoming a target and a victim of cyber-theft.

With reports from Reuters suggesting that medical records are worth ten times that of banking details, it does not come as a surprise that cyber-criminals are targeting these kinds of personal details.

There were reports of 30 “ransomware” attacks in the past 12 months towards healthcare trusts, which is very concerning when you note that healthcare trusts stores millions of patient details across the UK.

The “ransomware” attacks are described as ‘sophisticated’ attacks with cyber-criminals using virus software to encrypt data, which could make the data inaccessible. The cyber-criminals could then demand a ransom to unlock the illegally encrypted data.

Falling victim to such scams is a massive worry. Are the NHS Trusts doing enough to protect patient data? Some may argue they’re not doing enough because hospital systems can often be more outdated when remembering that medical technological devices are built to last, and constantly upgrading them would not be economically efficient. Some medical devices still use Windows XPe, which may lack an additional layer of security that a more updated system would have.

This could make the system much more vulnerable and easier to hack.

This is serious

You might ask why this is sufficiently serious, as what can cyber-criminals do with medical records detailing our last check-up appointment, or our last injection, for example.

But what about the wealth of more sensitive personal information that could be used for identity fraud? Or perhaps the fact that most people do not want their private information shared, and, if it was to be shared, it could cause serious distress.

If the NHS is found to not have adequate protection for their patients’ records, they can be in breach of the Data Protection Act. The Act sets out eight principles that organisations and public bodies must comply with when handling personal data. The Information Commissioner’s Office (ICO) are responsible for enforcing the Act and are seen to be the “watchdog” for organisations that are lax in their cyber security. Data breaches in the healthcare system could be seen as the most devastating as records held do often contain the very sensitive personal data.

Ransom demands have been estimated to be around £300 million a year. However, NHS Digital, the organisation in charge of cyber security for the health service, assured the public that no ransom had been paid out, and no data was lost in the process.

The NHS Trust should seek to strengthen its security before it is too late – as was the case for Hollywood Presbyterian Medical Centre; a large American Hospital who had to fork out a sum of around £11,800 to unlock data that was encrypted by an attack. It left the system inaccessible for ten days, which can cause unnecessary disruptions to a hospital system and to vital medical services.

If there are any data breaches, it should be reported at the earliest opportunity. This will hopefully prevent any further breaches and notify the victims. In the meantime, the NHS should take an anticipatory approach and not wait until there is another cyber security threat before they do something about their security. It is sadly the trend that organisations like the NHS are becoming victims of this “ransomware” type of hack, with Hollywood Presbyterian Medical Centre and McAfee on the deadly list.