At least 28 NHS Trusts across England have fallen victim to cybercriminals attempting to blackmail them for money in the past 12 months. Hackers have been able to access and steal large amounts of private patient data, and then issue ransom demands. That's according to data released through Freedom of Information requests by the i newspaper.
NHS Digital, the body which oversees cybersecurity for the UK's health service, admitted there has been an increase in attacks but told the i that no ransom was paid and claims that no data was lost. It said patient records had not been affected.
However, Ollie Whitehouse, technical director of NCC Group, the Internet security company which obtained the data, told the i that NHS Trusts remain vulnerable to further data breaches.
"Ransomware has become the bottom line of cybercrime — if hackers break into a system and can't find any other way to monetize what they find, they encrypt the data and demand a ransom.
"We have seen a 400% increase in these attacks," Mr. Whitehouse said.
"The health service is by no means alone in facing this kind of attack. But NHS trusts are being increasingly targeted and any loss of patient data would be a nightmare scenario. Like everyone else, they need to be applying robust controls," he added.
The agency tasked with trying to help key UK institutions develop these robust controls, is the UK's new National Cyber Security Centre (NCSC), which recently opened last week. The public facing wing of the UK's intelligence agency, GCHQ, one of its key priorities is to maintain the integrity of large scale systems and networks across the UK. However, that will be no easy task.
Last month, the director general of cybersecurity for GCHQ, Ciaran Martin, admitted that current measures to protect the UK from cyber crime are "not yet good enough."
"Far too many of these basic attacks are getting through. And they are doing far too much damage. They're damaging our major institutions," he added.
The NCSC's new lead on health, Alison Whitney, also acknowledged that the vast scale and complexity of the NHS makes it particularly at risk. Speaking at the UK Health Show in London earlier this month, Whitney said that a new kind of cyberdefense model is needed.
"There are 1.2 million users, and somewhere between 20,000 and 40,000 organisations… so I knew that the kind of models and approaches we used for central government just weren't going to work. We are going to be drawing some research into anonymization and hoping we can turn that into practical guidance," Mr. Whitney said.
The newly revealed data breaches is the latest blow this year for the NHS. Hospital bosses are warning that the NHS has reached a ‘tipping point' as it struggles to maintain good standards for patients, due to lack of funds and simultaneous increase in demand.
And concerns over the NHS aren't just coming from the top. An Ipsos Mori poll this month showed that the NHS has replaced immigration and Brexit as a key issue facing Britain for most voters.
40% mentioned the health service, hospitals or healthcare as a concern to them: more than cited any other issue.
It's not yet clear what strategies the NCSC has in mind to better protect the NHS and patient's confidential data.
In the meantime, European police agency, Europol, has issued a warning about ransomware, calling it the top form of online theft.