Tag Archives: Freedom of Information

30% of NHS Trusts have experienced a ransomware attack” finds SentinelOne

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – the Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These are the findings of a Freedom of Information (FoI) request submitted by SentinelOne.

The Ransomware Research Data Summary explains that SentinelOne made FoI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex and University College London Hospitals – have invested in anti-virus security software on their endpoint devices to protect them from malware.

Despite installing a McAfee solution, Leeds Teaching Hospital has apparently suffered five attacks in the past year.

No Trusts reported paying a ransom or informed law enforcement of the attacks: all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

nhstrustsransomware

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it’s clear to see why these types of attack can be a concern for business continuity professionals, with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the prime concern. This is a very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week in 2017.

“These results are far from surprising,” said Tony Rowan, chief security consultant at SentinelOne. “Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware. A new and more dynamic approach to endpoint protection is needed.”

Rowan continued: “In the past, some NHS Trusts have been singled out by the Information Commissioner’s Office for their poor record on data breaches. With the growth of connected devices like kidney dialysis machines and heart monitors, there’s even a chance that poor security practices could put lives at risk.”

*Note that the data isn’t always recovered even after a ransom has been paid

Advertisements

Leave a comment

Filed under Risk UK News, Uncategorized

ICO requires “stronger powers” and “a clearer guarantee of independence”

UK Information Commissioner Christopher Graham has warned it has never been more important that the general public has an independent regulator overseeing the handling of people’s personal data.

Speaking at the launch of the Information Commissioner’s Office’s (ICO) Annual Report earlier today, Christopher Graham highlighted how the troubled launch of care.data, Facebook’s research and the so-called Google ‘right to be forgotten’ ruling show why there’s a need to have an independent regulator.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

Graham also warned that independence relies on strong powers and sustainable funding.

The Annual Report shows that the ICO responded to a record number of data protection and Freedom of Information complaints this year.

Sometimes the State is the issue

“Facebook, care.data, Google: it’s clear that organisations’ use of data is getting ever more complicated,” stressed Graham. “People need to know someone is watching over their information. That someone needs to be independent of Government and business so the public know the regulator can be trusted. Sometimes the State is itself the issue. When the Intelligence and Security Committee wanted to know how the Snowden revelations fitted with data protection law, it turned to the Information Commissioner.”

Graham added: “Independence means someone who has the resources to take on this ever-growing number of cases. The last twelve months have witnessed a record – more complaints resolved than ever, more enforcement action taken and more advice given through our Helpline. It also means having the powers to act on the more serious complaints. A strong regulator is needed if a data breach affects millions of people.”

In conclusion, the Information Commissioner explained: “That someone is the Information Commissioner. We’re effective, efficient and busier than ever but, to do our job properly and to represent people properly, we need stronger powers, more sustainable funding and a clearer guarantee of independence.”

The report’s figures in detail

This year’s Annual Report shows that the ICO has handled 259,903 calls to its Helpline and resolved 15,492 data protection complaints – in both cases a rise of over 10% on the previous financial year.

The ICO has also decided on 5,296 Freedom of Information complaints (a 12% rise on last year’s figure), and received 161,720 reports from people concerned about spam texts and nuisance calls.

For the past five years the ICO has faced a reduction in its funding for FOI, while the proposed EU data protection reforms would remove the notification fee that funds the ICO’s work under the Data Protection Act.

The ICO’s written submission to the Intelligence and Security Committee in February is now available.

The Information Commissioner will appear before the Intelligence and Security Committee in the autumn.

Leave a comment

Filed under Risk UK News