Healthcare practices could be next ransomware targets
It is thought that cyber criminals are starting to cast around for new victims of ‘ransomware’ attacks and security experts believe they could be setting their sights on the healthcare records at GP and dental surgeries, which are 100 times more valuable than stolen credit card details.
In order to encrypt data on a target’s system, criminals send a bogus email to an employee there with a link to an attachment. If the employee opens it, the criminal controls access to the data and will only decrypt it if a ransom is paid.
Ransomware is big business for cyber criminals and the crime is on the rise. In 2015, the FBI reported losses to business of £19m in the US but that had risen to £171m in the first quarter of 2016 alone and the Bureau claims it is soon to become a billion dollar industry.
Even more worrying is that the technology behind the attacks is becoming more sophisticated and criminals are targeting specific sectors where a ransomware attack could do the most damage and therefore is most likely to yield a result.
According to a recent Freedom of Information (FoI) request, 30 per cent of NHS Trusts have been the victims of ransomware attacks in the past year and Imperial College Healthcare NHS Trust was attacked 19 times in just 12 months. Meanwhile, Northern Lincolnshire and Goole NHS Foundation Trust was forced to cancel 2,800 appointments and operations over a four-day period because of such an attack.
There are also reports of dental practices and GP surgeries being targeted, with one practice having to close for a week while it retrieved its data and another paying the £20,000 ransom, as they did not have an effective backup system.
Practices should therefore ensure that their IT systems are properly protected and that data is backed up in a secure place. Staff should also be instructed not to open any emails they think might be bogus. If all the necessary precautions are taken, there is less chance of the practice being sued by patients in the event of a data breach.