A recent survey of 25 Dutch hospitals found that at least 15 had been hit by ransomware attacks over the past three years, highlighting how vulnerable Dutch hospitals are to such attacks.
The hospitals concerned would only participate in the survey anonymously to avoid attracting future attacks. 20 further hospitals declined to take part in the survey due to security concerns.
The majority of these attacks blocked access to computer files and demanded money to reverse the process. Because standard practice in the healthcare sector is to backup files daily, the impact of the ransomware attack on stored data was minimal. One hospital saw delays in its outpatient clinic as a result of the attacks, and another had 75 computers infected.
“This is a very serious signal,” security researcher Sijmen Ruwhof said. “Ransomware is actually a shotgun. A fluke.” Elaborating further, Sijmen stated: “Can you imagine what happens when the hackers actually target a Dutch hospital?”
The Dutch Association of Hospitals is calling for greater investment in digital security. “In recent years much attention was on controlling costs, and this has sometimes led to too little attention to IT,” Chairman Yvonne van Rooy said.
In May, the WannaCry virus affected hospitals in the UK. Last year an attack in Germany forced a hospital to operate without the Internet, which led to operations being delayed.
The West-Friesland Hospital in Hoorn has been hit three times by ransomware. Board member Hugo Keuzenkamp claimed, “For us, it has not led to major problems”. On average, 85 potential attacks are received daily via email, with the majority being repelled successfully.
14 of the 25 hospitals surveyed still use Windows XP in a number of departments. With Microsoft no longer providing free security updates for this operating system and only one of the hospitals actually paying for such updates, it is clear where a lot of the vulnerabilities lie.
Very often the operating system is built into medical devices, such as MRIs and scanners. Despite the clear risks of using outdated software, many hospitals continue to use the equipment as the devices remain functional. “Hospitals often cannot get updates because Windows XP is installed,” explains Bart Jacobs, Professor of Computer Security at Radboud University Nijmegen, The Netherlands .”If the manufacturer does not want to update, you will continue to use the old version of Windows.”
The West-Friesland Hospital has 75 such devices. “The software of this equipment works fine, but only runs on Windows XP,” says Keuzenkamp. “I’d rather give money to nurses than firewalls and virus scanners, but you cannot escape it.”
To reduce risk, a number of the hospitals disconnect devices from the Internet or protect them with firewalls.
Protect yourself from ransomware
Ransomware has become a major tool for cyber criminals in the past few years, but it was through WannaCry that it gained widespread public awareness.
In response to the growing concern over ransomware, IT Governance now provides a scalable solution for staff awareness training. Our Phishing and Ransomware – Human patch e-learning course explains the threats that ransomware presents to organisations, and gives details of the resources available to help you understand and combat those threats. This ten-minute course provides an introduction to phishing and ransomware. We also offer a more detailed Phishing Staff Awareness Course.
We can also offer a Cyber Health Check for large organisations. This three-day Cyber Health Check combines on-site consultancy and audit, remote vulnerability assessments, and an online staff survey to assess your cyber risk exposure and identify a practical route to minimise your risks. Receive a prioritised action plan for controlling your cyber risks in line with your risk appetite.