Since 2014, at least 65 NHS trusts have been “successfully” attacked with ransomware. A total of 209 incidents were reported in documents obtained through our Freedom of Information (FOI) requests.
With almost all of these occurring prior to 2018, has the NHS learned from the crippling WannaCry attack in 2017?
We submitted Freedom of Information requests to all of the UK trusts to find out:
- How many ransomware attacks their trusts had suffered over the last 5 years
- Whether or not they paid the ransom and how much it was
- How much downtime the attack caused
- What the overall cost to the trust was
What did we find?
Around 34 percent of trusts have been impacted by ransomware attacks. Over the last 5 years, at least 209 attacks occurred (an attack may affect an entire system or it could only affect one computer), causing an estimated 4943 hours (nearly 206 days) of downtime in total. None of the affected trusts paid any ransom.
Most trusts are unable to calculate the true impact of these attacks on their day-to-day services and/or refuse to release information about their cybersecurity, meaning the total damages could be much higher.
In fact, we estimate that a further 23 trusts are likely to have suffered some form of attack – at the very least. This would increase the overall downtime caused by approximately 575 hours (24 days).
Which year saw the most ransomware attacks?
2017 was the biggest year for ransomware attacks, largely caused by the WannaCry attacks in May. Of all the FOI requests we received, 48.33 percent occurred in 2017, followed by 21.05 in 2016, 20.57 in 2015, and just over 3 percent throughout 2014, 2018, and 2019 combined.
The lower number of attacks in 2018/19 does hopefully demonstrate that more robust procedures and systems are in place following the large-scale WannaCry attack in 2017. The downward trend coincides with increased spending from the NHS to secure local infrastructure, reduce vulnerabilities, increase cyber resilience, and update IT systems to Windows 10. Recommendations were also made for staff to complete cyber awareness training. And organizations were told to consider removing staff members’ access to IT systems if they hadn’t completed this mandatory training.
14 of the attacks weren’t assigned a specific date because the trust either did not know or was unwilling to reveal the date due to security concerns.
We should also note that data for 2019 is still being processed by the trusts, meaning the total number of attacks could be higher.
How much downtime is ransomware causing UK hospitals?
Some trusts noted zero downtime from the ransomware, dealing with the attack as “business as usual.” Others shut down systems as a precaution and some had to reimage PCs.
The total downtime isn’t often recorded as it can affect various departments and/or staff costs are included as part of IT services.
Nevertheless, when the trusts did offer downtime figures, these demonstrated just how disruptive ransomware attacks can be. The average attack causes up to 25 hours of downtime.
One trust shut down its systems for 48 hours as a precaution while keeping some others off for several weeks so they could be repaired and restored as required.
The true cost of ransomware for UK hospitals
The vast majority of trusts were unable to quantify the amount of downtime caused by ransomware. As a result, the impact of these attacks is likely to be far greater than what reports state.
We did ask the trusts how much each ransomware attack cost their organization, but many were unable to quantify this. Some released figures based on the additional staff costs required to restore systems while others revealed the cost of replacing affected systems. Few of them were able to indicate the true impact it had on things like admissions, cancellations, and Emergency Department attendances.
A recent report by the Department of Health and Social Care looked specifically at the cost of the WannaCry attack. It estimated that during the attack, lost output would have cost the NHS £19 million with a further £0.5 million for IT costs. Afterward, a further £72 million was required to restore systems and data affected in the attack. This puts the total cost of the WannaCry attack at almost £92 million ($120.7 million).
Even though ransomware attacks differ and may only affect a single computer within the trust, these estimated figures do indicate that the cost of ransomware attacks over the last five years may extend into nine figures.
Nevertheless, the sharp decrease in attacks since 2017 does show that the money being injected into improving IT systems and cybersecurity knowledge within the NHS is working. But as experts suggest, it is crucial that more money is spent on security and better safeguards are put in place as technology advances at a rapid pace.
At present, there are no agreed minimum standards for security, and procurement policies don’t adequately detail how devices should be monitored and regulated. This means suppliers have little incentive to ensure top-notch cybersecurity for their devices as it isn’t a requirement and can be costly.
The NHS lacks these imperative safeguards for medical devices, potentially leaving systems exposed to further cybersecurity threats and large-scale attacks like 2017’s WannaCry attack. And with the recent spate of attacks in the US and Australia and a large attack on a French hospital that affected 6,000 computers, the threat remains imminent.
Methodology
To collect the data, Freedom of Information requests were submitted to all of the trusts across the UK. Around 80 percent of hospitals provided us with the information requested. The remaining 20 percent refused or didn’t respond to our request.
To help keep any affected trusts anonymous, we haven’t included the names.
Some trusts noted that the cost of an attack was negligible. Therefore, when we calculated the average cost of a ransomware attack, these £0 figures were included. This is the same for downtime where some trusts said the amount was zero.
When costs and downtime figures were included, costs often included the time and equipment needed to reimage computers and additional staff costs. As we have noted, it is difficult for trusts to know the overall costs involved in the downtime of their systems and some may record different costs than others.
Our estimate for the further 23 trusts that are likely to have had an attack is based on the fact that 34 percent of the hospitals who completed our FOI requests had been subject to ransomware. Therefore, we can apply this figure to the 67 trusts who either didn’t return our requests or refused to, giving us the figure of 23 (34 percent of 70).