National Health System Faces Up to 1 in 4 Chance of Being Attacked
A targeted cyberattack against Britain’s national healthcare system could lead to larger-scale disruption causing the organization several years to recover, the U.K. government warns.
In a risk assessment report published Thursday, the government said critical infrastructure, including healthcare, is susceptible to destructive hacks.
A targeted ransomware attack with quick infection capabilities can have almost “immediate” impact on the U.K’s National Health Service, leading to operational difficulties, according to the National Risk Register 2023.
The report says the risk is not theoretical, pointing to a 2021 ransomware incident that knocked offline the IT systems of the Irish national health system (see: Irish Healthcare Ransomware Hack Cost Over 80 Million Euros). And the global outbreak of WannaCry ransomware in 2017 infected roughly one-third of the regional organizations making up the British national health system.
An attack of sufficient strength could cause “second-order impacts” such as “delays and cancellations” that “would mean medical conditions worsen or are not diagnosed promptly.”
Although the assessment is based on hypothetical scenarios, the report warns there is mounting probability for cyberattacks with a “significant” impact to strike the United Kingdom within the next two years. The likelihood of such an attack is between 5% and 25%, the report says. That is an increase from the National Risk Register 2020, which rated the probability as between 1% and 5%.
Cyberattacks of that scale are likely to be carried out by nation-state hackers, whose risks to the U.K. increased significantly after Russia’s February 2022 invasion of Ukraine.
U.K. Cabinet Office Secretary of State Oliver Dowden earlier warned Russian Wagner Group-like “fringe” hackers could carry out attacks against British organizations with a primary motive to destroy and disrupt (see: Russian Hacktivists Aspire to Attack Critical Infrastructure).
Owing to the increased risk to the medical sector, the U.K. government in March announced it will spend 15 million pounds over the next two years to shore up cyber defenses.