47% of NHS Trusts in England admit to falling victim to ransomware

FOI request shows cyber assault on healthcare sector

47% of NHS Trusts in England have been hit by ransomware in the past year, according to data from a freedom of information (FOI) request.

The FOI request was made by global risk mitigation and cyber security expert NCC Group. 60 Trusts responded with 31 of these withheld information with many citing patient confidentiality. However, 28 confirmed they had indeed been a victim of ransomware. Only one Trust said they had not been hit in the last year, but that they had been infected in the past.

Ransomware is a type of malware that restricts access to systems in some way, often by encrypting files and then demanding a ransom to obtain access. With NHS Trusts holding a range of sensitive data on patients and employees, a piece of ransomware could cause serious disruption to services and ultimately impact patient care.

Ollie Whitehouse, technical director at NCC Group said: “The damage that a successful ransomware attack can cause makes these findings not simply an issue for a Trust’s IT team, but for its board of directors too. Paying the ransom – which isn’t something we would advise – can cost significant sums of money, yet losing patient data would be a nightmare scenario for an NHS Trust.

“In the past the ransomware writers were sometimes quite careless and there was often a way to retrieve files. However, they have improved their capabilities and data retrieval is usually no longer an option. It makes preparation even more important.”

Many ransomware attacks are delivered via phishing emails. These are often well crafted and disguised to resemble something non-malicious to fool the recipient. Phishing emails often take the form of parcel delivery notifications, imaginary customer complaints or fake official letters.

Whitehouse continued: “There is no silver bullet or one single solution that can stop this type of attack, despite what many security companies may claim. Instead, we would recommend a multi-layered approach, applying robust controls such as regular patching of software, using up-to-date anti-virus and educating staff as to the risks posed by phishing and ransomware.”


Media contact: Lucy Giles @ MC2 – 0161 236 1352

Notes to editors

About the FOI

The FOI was sent out to all NHS Trusts in England in April 2016. They were asked: “have you suffered from a ransomware attack in the last year?”.

155 Trusts were approached and 60 responded. Of those who responded, 31 withheld information, 28 said they had been a victim and one said they had not.

About NCC Group

NCC Group is a FTSE 250-listed global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.

With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face.

NCC Group is passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.




Published date:  24 August 2016

comments powered by Disqus

Filter By Service

Filter By Date