NHS remains target for cyber thieves, claims new survey

SolarWinds reveals number of online attacks on NHS is on the increase, and a lack of resources is compounding the problem

Healthcare organisations are still a key target for cyber attacks

A continued lack of funding means the NHS remains attractive to cyber criminals, according to the findings of a new survey.

IT management software provider, SolarWinds, this week released the findings of its latest Freedom of Information (FOI) request investigating cyber security challenges and preparations in UK public-sector organisations.

The results show that while over a third (38%) of respondents claimed to have experienced no cyber attacks in 2018, compared to 30% who said the same for 2017; there was an increase in the number of organisations reporting in excess of 1,000 incidents.

While preparation is generally high throughout the public sector; the growth in large numbers of attacks shows that there is still significant risk

18% of respondents said this was the case in 2018, up from 14% in 2017, despite the Minimum Cyber Security Standard being published in June 2018, a guideline that 98% of respondents said they were aware of.

In total, 28 central government organisations, 164 NHS trusts and Clinical Commissioning Groups (CCGs), and the MOD responded to the FoI request.

And 74% of healthcare organisations who provided an answer to how many cyber attacks they experienced in 2017 and 2018, experienced fewer than 50 incidents in 2018, slightly less than experienced in 2017 (75%).

This increase seems somewhat at odds with the fact that the WannaCry outbreak was in 2017, costing the health service £92m and causing more than 19,000 appointments to be cancelled.

The researchers said this suggests the attack may have been a one-off for many NHS organisations.

Attacks were predominantly phishing or malware—95% of organisations said they had experienced cited phishing, and 86% had experienced malware.

The least-common types of detected attacks or threats according to respondents were from malicious insider threats (3%) or foreign governments (3%).

These results highlight the importance of finding simple-to-use, affordable and scalable security solutions that can work across the varied IT environments like those in the NHS and central government, to ensure the most-comprehensive protection available for these vital services

In terms of defences, firewalls (98%), antivirus (98%), and malware protection (96%) were the three-most-common solutions deployed. 94% also had patch management.

Where respondents knew how much was allocated to cyber security defence budgets, most public-sector organisations allocated between £100,001-£500,000, with the average spend being over £350,000.

Limiting factors for cyber security maintenance and improvement were centred around resources and meeting competing priorities.

Budget concerns were a particular problem for healthcare organisations, with 68% of NHS trusts and CCGs reporting budget constraints as an issue, compared to 50% of central government respondents.

“While preparation is generally high throughout the public sector; the growth in large numbers of attacks shows that there is still significant risk,” said Sascha Giese of SolarWinds.

“These results highlight the importance of finding simple-to-use, affordable and scalable security solutions that can work across the varied IT environments like those in the NHS and central government, to ensure the most-comprehensive protection available for these vital services.”

Companies