The NHS Trust in Cumbria suffered over 150 cyber attacks in the last five years, with a vast majority of such attacks targeting University Hospitals of Morecambe Bay NHS Trust which oversees operations at hospitals in Barrow, Kendal, Morecambe and Lancaster, a Freedom of Information request by BBC News has revealed.
Information obtained by BBC revealed that the number of cyber attacks targeting the Cumbria NHS Trust in the last five years was a lot higher than attacks suffered by other NHS trusts across the country.
Lee Coward, the head of information technology at the NHS Trust, said that “higher volumes of identified cyber ‘attacks” at the organisation was due to a “very rigorous reporting process” as well as a lot of time and resources being invested in keeping the trust’s IT systems safe. According to BBC, the NHS Trust spent £29,600 in 2017 in dealing with the effects of cyber attacks, the same year when the WannaCry ransomware attack took place.
Even though the number of cyber attacks accounted for by the Cumbria NHS Trust far outnumbers those suffered by other trusts, Joseph Carson, Chief security scientist at Thycotic, believes that the number is still “shockingly low”.
“The latest reports about Cumbria health trust being hit by 147 cyber-attacks over a five year period is shockingly low or they simply are not detecting and identifying the majority of cyber-attacks.
“Most organisations typically only know about the attacks that disrupt services, so most cybercriminals are simply hiding within the networks, stealing sensitive information or account passwords that typically go undetected for months and even years. Cybercriminals do not want to be found and will do everything possible to stay hidden. It wouldn’t be surprising if this number was even double or triple if a thorough investigation was being done,” he said.
“Most cyberattacks are usually resulting from poor cybersecurity practices such as unpatched systems connected to the internet or poor cybersecurity hygiene when employees are targeted through emails with one simple click on a link or attachment which opens the doors to the cybercriminal.
“Most employees are overprivileged and using credentials that when stolen, give the cybercriminal access to do whatever they want on the corporate networks and it is critically important that a least privilege strategy is a priority and enforced,” he added.
Acute lack of in-house cyber security personnel at NHS trusts
The ability of NHS trusts to detect or to respond to cyber attacks also gets severely curtailed due to a severe lack of trained in-house cyber security personnel as well as limited budgets. Recently, a series of Freedom of Information requests made by security firm Redscan revealed that among 159 NHS Trusts, there is only one cyber security specialist per 2,628 employees and nearly one in four such trusts do not have any cyber security specialists at all.
Freedom of Information requests filed by Redscan also revealed that NHS trusts spent an average of £5,356 on data security training, but individually, they spent between £238 to £78,000 with mid-sized trusts spending between £500 and £33,000 o employee training.
“It’s true that NHS trusts outsource key security functions to NHS Digital and other third-party specialists, but I would still expect to see more security professionals employed in-house. No doubt resources are being strained further still if you assume that staff with security qualifications are part of IT teams responsible for far more than just cyber security.
“Individual trusts are lacking in-house cybersecurity talent and many are falling short of training targets; meanwhile investment in security and data protection training is patchy at best. The extent of discrepancies is alarming, as some NHS organisations are far better resourced, funded and trained than others,” said Mark Nicholls, director of cyber security at Redscan.