UK National Health Service suppliers asked to tackle ‘endemic’ ransomware attacks

The chief executives of companies supplying Britain’s National Health Service (NHS) have been sent letters asking them to help tackle the “endemic” threat of ransomware attacks following a series of disruptive incidents.

In an open letter published Thursday, written “to highlight the growing and ever-changing cyber security threat level that we collectively face,” NHS suppliers were warned that incidents have been getting more severe and frequent in recent months.

The letter sets out NHS England’s views on best practices from suppliers, and asks them to take several steps — including to maintain immutable backups for recovery purposes, ensure multifactor authentication is turned on for network access, and apply the latest patches to address known vulnerabilities — to mitigate future attacks.

Executives have been encouraged to sign up to NHS England’s voluntary public charter, when it is launched later this year, and are reminded that they will have contractual terms with NHS organisations as well as legal responsibilities to protect any personal data they process.

Last year, at least two attacks in the United Kingdom had a direct impact on patients. One affecting pathology services company Synnovis led to a critical incident being declared across several hospitals in London and the postponement of thousands of appointments and operations, including for cancer patients.

In the second, every single household in the Scottish region of Dumfries and Galloway received a letter warning residents their data was likely to have been accessed by cybercriminals and published online following a ransomware attack.

While the British government has pledged to improve cybersecurity across the healthcare sector with a new Cyber Security and Resilience Bill, intended to introduce new obligations on digital services and supply chains, that bill has yet to be introduced to Parliament.