Last Friday a worldwide cyber attack took place and hit the NHS particularly badly due to its outdated systems. Below we discuss what happened and what you need to do to protect your business.
On Friday, the NHS was the victim of a severe and crippling ransomware attack, known as Wanna Decryptor or “WannaCry”. This piece of ransomware has infected 200,000 machines in 150 countries since Friday. Other organisations affected include FedEx, Renault and Nissan and the infection has spread as far as the USA and China.
Ransomware is a piece of software that encrypts computer data and locks files so the user can no longer access their device or files. It can infect your computer by opening image files, website links or any attachment sent by email or through messages sent on social media sites. The software asks for a ransom to be paid before your data is restored and device unlocked. In this case it was $300 (£230) per device.
WannaCry’s impact on the NHS was colossal. Routine surgeries and GP appointments were cancelled and patients were diverted away from hospital accident and emergency departments. On Monday morning patients were still being asked to consider whether their appointment was strictly necessary and if not, not to attend. Thousands of NHS computers were locked as a result of the ransomware embedded on the systems.
Although these attacks are common, questions are being asked on how this attack was able to hold the NHS to ransom so effectively. There has been finger pointing over the NHS’ out-of-date computer systems: 1 in 20 NHS devices use WindowsXP, a 16 year old system no longer serviced by Microsoft and certain hospitals not uploading the security update received from Microsoft in April. As the NHS holds so much personal data on its patients and staff there have been demands for a thorough review of the NHS’s cyber security and data protection.
Like other businesses, the NHS has obligations under the Data Protection Act 1998 (soon to be overtaken by the General Data Protection Regulation 2016). The NHS must ensure that it has processes in place to keep its data secure which should include having enough money from the government to train staff in identifying suspicious emails that may contain ransomware so that this sort of incident does not happen again in the future. While it will take a formal investigation to determine how and why the some of the NHS had insufficient security, we do know things businesses should be doing now to ensure their risk of infection is minimised.
Here are some tips to help protect you and your business from being the victim of a ransomware attack:
- Install and use up-to-date antivirus software and pop-up blockers, and make sure your computer and/or device software is up-to-date.
- Train your staff in cyber-security issues including avoiding clicking on links or opening attachments or emails from people or companies they don’t know.
- Regularly back-up your important files so if you are subject to an attack you can quickly get your files back online.
- Review your current IT security internally and with any outsourced supplier. Who has responsibility for security, training and data protection breaches? In most cases this will be you.
- Conduct a data protection audit to ensure you are ready for the higher burden of compliance under the new General Data Protection Regulation, and to make sure your data is protected to the fullest possible extent.
If you or your business are concerned about data protection and cyber-security or would like professional advice, we have a team of experts ready to help.