The May 2024 the Institute of Directors (IoD) Policy Voice survey asked Directors to indicate their highest three organisational risks over the next 3 and 5 years. In both timeframes the top risk was Cyber Incidents at 69.6% over 3 years and 69.9% over 5 years.
Since 2020 there have been 1,636 cyber incidents that required reporting to the ICO within local and central government, including educational establishments. Whilst there was a decline in incidents in 2023, attacks were particular prevalent in 2023 with 540 reported incidents. This trend continued with 129 incidents in Quarter 1 of 2024.
The latest major NHS Cyber Security incident that led several London hospitals to declare a state of emergency on Monday 3rd June 2024 is believed to be the work of the ransomware as a service (RaaS) group Qilin. The Qilin ransomware group is financially motivated and Russia-based. Tactics typically employed include to encrypt data and threaten to publish data if a ransom is not paid.
The attack was directed against Synnovis, a partnership between the Guy’s and St Thomas NHS Foundation Trust and King’s College Hospitals NHS Trust. Due to the compromise and encryption of Synnovis systems, pathology services were interrupted at the two NHS hospitals as well as GP services across the boroughs of Bexley, Greenwich, Lewisham, Bramley, Southwark and Lambeth. The impact of the attack resulted in the postponement of non-emergency patient care and deferment of operations requiring blood transfusion to other unaffected hospitals. NHS systems are a prime target for cyber criminals because a single data breach can impact multiple entities.
Qilin has a track record of cyber attacks spanning medical organisations, courts and even the Big Issue. The Russian speaking gang appears to take advantage of Putin’s policy of turning a blind eye to international cyber criminals operating from his country, provided they do not target ex-Soviet countries.
Healthcare continues to be prime target for ransomware. due to the sensitivity of data held including personal health information and financial data. This risk is especially pronounced in the NHS. Ransomware attacks have impacted the NHS over the past year, including a 2023 data breach of the Barts Health NHS Trust and the extortion of NHS Dumfries and Galloway by ransomware attack in March 2024.
Traditional reactive approaches may no longer sufficient to mitigate these threats. All organisations, including Healthcare providers need to implement robust access control mechanisms that encompass both their own systems and those of their third-party providers. This includes continuous monitoring, regular security testing and comprehensive cyber security incident response plans.
The Information Commissioners Office most recent lesson learnt from reprimands issued, highlighted the following priority matters:
Bolstering online security and keeping systems safe is a must, particularly against Phishing attacks;
Use alternatives to BCC (blind Carbon Copy) when sending emails containing sensitive personal information; and
Consider the risks relating to personal information when using messaging apps for business purposes.
How secure are your Cyber Security arrangements?
Have you obtained independent assurance on Cyber Security?
Is your Cyber Security Incident Response Plan fit for purpose?
Comments