The NHS has repelled over 11.3 million email-based cyber-attacks over the past three years, highlighting the continued threat to healthcare systems in the UK, according to new Centrify research.
The security company sent Freedom of Information (FOI) requests to NHS Digital in a bid to uncover the true picture of threats to the NHSmail system, which is apparently used by more than 500,000 staff daily.
The majority of attacks were categorized as IP or domain reputation attacks, likely to be phishing attempts, accounting for over half (6.1m). Next came spam (3.6m) and malware-borne attacks (852,000).
Health service IT security teams were famously unprepared for the WannaCry ransomware worm of 2017 which exploited unpatched computers, causing the cancellation of an estimated 19,000 appointments and operations, disrupting a third (34%) of trusts.
That ended up costing the NHS around £92m in lost access to information and systems and emergency IT support – money that the health service can ill afford in an age of government austerity.
Last year, it received a £150m spending boost from central government to cover Windows 10 migration, a Security Operations Center (SOC), network upgrades and fixes for other “infrastructure weaknesses.”
However, the funding is spread out over three years and, whilst welcome, is unlikely to be enough to upgrade the health service’s ageing IT infrastructure – especially given the increasing scrutiny it’s being put under by hackers.
“It’s clear that hackers view the NHS as a top target with growing volumes of email attacks deliberately designed to fool doctors, nurses and other health service workers into handing over confidential data,” said Centrify VP, Andy Heather.
“Increasingly we’re seeing cyber-criminals gaining access to private information like patient records using legitimate log-in details which have been stolen or sold online. All too often this means that malicious activity remains undetected before it’s too late, so it’s vital that hospitals adopt a zero-trust approach to all user activity, ensuring every employee is verified and they are who they say they are.”