NHS Scotland Confirms Clinical Data Published By Ransomware Gang
NHS Dumfries and Galloway condemns ransomware gang for publishing patients clinical data after cyberattack earlier this month
Health authorities in Scotland have hit out at a ransomware gang after it started publishing data including clinical and personal identifiable information of both patients and staff.
The confirmation came after NHS Dumfries and Galloway had warned on 15 March that it had been the target of a focused and ongoing cyber attack on its IT systems.
It has been widely reported that the hacking gang, dubbed INC Ransom, had obtained 3TB (terabytes) worth of data, and are threatening to publish the entire tranche of data unless a ransom is paid.
Data published
Now the NHS has condemned the decision of the hackers to publish some of the data.
“NHS Dumfries and Galloway is aware that clinical data relating to a small number of patients has been published by a recognised ransomware group,” the board said in a statement. “This follows a recent focused cyber attack on the Board’s IT systems, when hackers were able to access a significant amount of data including patient and staff-identifiable information.”
NHS Dumfries and Galloway chief executive Jeff Ace condemned the publication of the data.
“We absolutely deplore the release of confidential patient data as part of this criminal act,” said Ace. “This information has been released by hackers to evidence that this is in their possession.”
“We are continuing to work with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies in response to this developing situation,” Ace said. “Patient-facing services continue to function effectively as normal.”
“As part of this response, we will be making contact with any patients whose data has been leaked at this point, and continue working to limit any sharing of this information,” Ace added.
“NHS Dumfries and Galloway is very acutely aware of the potential impact of this development on the patients whose data has been published, and the general anxiety which might result within our patient population.”
The INC ransomware operation is now threatening to leak more data via their dark web leak site.
Frustrated hackers
The refusal of NHS Scotland to pay the hackers ransomware demand was noted by William Wright, CEO of Scotland-based Closed Door Security.
“It’s been almost two weeks since the attack on NHS Dumfries and Galloway was announced, and the attackers are clearly frustrated that they haven’t received a pay out yet,” said Wright. “But this is unlikely to be a surprise to them.”
“The UK government has been very public in its commitment to not pay ransomware actors, and it’s highly unlikely they are going to back down on this,” said Wright. “Ransomware attackers are aware of this pledge, but they still keep targeting public services and charities, like the Big Issue and Dumfries and Galloway.”
“They know they won’t receive a pay out from these organisations, but they continue to attack them,” said Wright. “This could suggest the motivation for the attacks are purely to cause damage to the UK, rather than to make money.”
“This will be a worrying time for patients of NHS Dumfries and Galloway, knowing that their data has been compromised by criminals,” said Wright. “These individuals must be vigilant to scams targeting them via emails. Any correspondence requesting personal or financial information should be verified with the sender before it is actioned.”
“We don’t know how the criminals gained access to NHS Dumfries and Galloway, but the incident does act a reminder that all organisations are targets for criminals,” said Wright. “They don’t always go after the biggest organisations; small and relatively unknown organisations are just as lucrative, and they often don’t benefit from big security budgets to keep determined attackers out of their networks.”
“When it comes to defences, organisations must focus on a layered strategy, which includes running proactive security assessments to find and close exploitable bugs, training employees on attack techniques, and having the ability to segment the network, so even when unauthorised intruders do break in, they can’t travel,” Wright concluded.
Healthcare targets
Meanwhile Mike Newman, CEO of My1Login noted that despite the ransomware gang INC being a relatively new ransomware operation, it has already targeted multiple healthcare organisations.
“Research has also shown that INC often uses phishing and social engineering as a gateway to target organisations, so there is a high chance this was the vector used to target Dumfries and Galloway,” said Newman.
“If this is the case, it once again highlights the importance of protecting against this attack vector,” said Newman. “Organisations can achieve this using modern identity management solutions.”
“These solutions can automate the removal of passwords from the hands of employees for all applications and systems,” said Newman.
“This means employees never see, know, or manage passwords, which makes it impossible for them to accidentally give away their credentials to phishers,” Newman concluded. “This eliminates password phishing risks and provides organisations with significant improvements to their cyber defences.”
Should pay?
Meanwhile Dr Ilia Kolochenko, CEO at ImmuniWeb and adjunct Professor of cybersecurity at Capital Technology University, noted that in certain cases it may be a lesser of two evils to pay the ransom, despite official advice being firmly against that position.
“This is why enacting legislation that would flatly ban payment of ransom is highly undesirable and can cause more harm than good,” noted Dr Kolochenko. “Whilst, I share the FBI’s firm position that payment of ransom subsidises cybercrime and provokes new cyberattacks, there are cases when an isolated payment of ransom will be the lesser of all evils.”
“While it is unclear how many individuals are impacted by the attack and what kind of sensitive medical data has been stolen, the mere size of the dump implies quite catastrophic and unrepairable damage to some individuals,” said Dr Kolochenko.
“For instance, if an HIV status, sexual health or terminal cancer diagnosis is publicly revealed, it can ruin people’s careers or even provoke suicide,” Dr Kolochenko warned. “Under such extreme pressure, payment of ransom may be well justified. Having said this, payment will, of course, not guarantee that the data will never be leaked elsewhere but it will at least reduce such risk.”
“Finally, the best and most sustainable solution is to enact, help to comply with, and enforce cybersecurity legislation like EU’s DORA or NIS 2 Directive,” Dr Kolochenko concluded. “Otherwise, we are treating the symptoms, not the disease.”