Nearly half of all NHS Trusts suffered a ransomware attack during the past year, according to a Freedom of Information (FoI) request from NCC Group.
The cybersecurity firm claimed 60 Trusts responded to its request, although half of these withheld information due to patient confidentiality.
That means the real figure on ransomware infections could be even higher than the 47% revealed by this study.
NCC Group technical director, Ollie Whitehouse, warned that ransomware campaigns are increasingly professional, meaning data retrieval is usually not an option once a system has become infected.
Phishing emails are one of the most common threat vectors, he claimed.
“There is no silver bullet or one single solution that can stop this type of attack, despite what many security companies may claim,” said Whitehouse.
“Instead, we would recommend a multi-layered approach, applying robust controls such as regular patching of software, using up-to-date anti-virus and educating staff as to the risks posed by phishing and ransomware.”
The ransomware threat is not limited to healthcare organizations, of course, with all industries potentially at risk.
Just yesterday another FoI request revealed that 56% of UK universities have been hit by ransomware in the past year.
Hospitals are particularly at risk though given the nature of the work they do and the data they hold.
Cyber-criminals are increasingly prepared to raise the value of the ransom according to how desperate they believe the victim organization is to gain access to its mission critical data.
For hospitals, this could mean hefty sums to pay out.
The Hollywood Presbyterian Medical Center famously ended up paying online extortionists $17,000 for a decryption key after being hit with a ransomware infection which forced key systems offline, affecting patient care for days.
“The damage that a successful ransomware attack can cause makes these findings not simply an issue for a Trust’s IT team, but for its board of directors too,” warned Whitehouse.
“Paying the ransom – which isn’t something we would advise – can cost significant sums of money, yet losing patient data would be a nightmare scenario for an NHS Trust.”