Cumbria NHS trust hit with 'extraordinary' amount of cyber attacks in past five years

NHS building
(Image credit: Shutterstock)

A BBC Freedom of Information (FOI) request has revealed that in the past five years, the NHS in Cumbria has been hit by more than 150 cyber attacks, a figure labelled as "extraordinary".

Of the reported cyber attacks, 147 of them were targeted at University Hospitals of Morecambe Bay NHS Trust (UHMBT), which runs hospitals in Barrow, Kendal, Morecambe and Lancaster.

The trust told the BBC that it had spent 29,600 in 2017 on dealing with the effects of the attacks but the "vast majority" were "untargeted and unsuccessful", the Trust said.

The Trust's head of IT Lee Coward said that because the Trust has a rigorous reporting process, it could explain why the Trust, in particular, reported higher numbers than other organisations.

Regardless, the amount of attacks reported is "extraordinary", said Iain Stainton, senior lecturer in policing and criminology at the University of Cumbria. The average at the National Cyber Security Centre was about 10 per week, he added.

Others are concerned about different parts of the report. "The latest reports about Cumbria health trust being hit by 147 cyber-attacks over a five year period is shockingly low or they simply are not detecting and identifying the majority of cyber-attacks, said Joseph Carson, chief security scientist at Thycotic.

Expressing cynical distrust in the statistics, he added: "cybercriminals do not want to be found and will do everything possible to stay hidden. It wouldn't be surprising if this number was even double or triple if a thorough investigation was being done."

"The volume of attacks on the NHS is not too surprising in some ways," said Paul McKay, senior analyst at Forrester. "What is more interesting is not just the statistics of NHS Cumbria, but what this would actually look like when scaled across the whole NHS. This shows the urgent case for modernising the NHS's approach to how it uses technology and particularly how it secures this technology. Patient confidentiality and safety are prime and this information should not be falling into the wrong hands, we should be able to trust the NHS with some of our most sensitive personal secrets and information."

The report suggests that even after catastrophes such as WannaCry, the NHS still isn't investing enough in cyber security.

In the long-term, a grand investment would surely be more economically viable than sustained payouts for repairs caused by inferior technology.

After WannaCry's devastation, Copeland Borough Council spent 2 million to recover from a separate attack later that year.

Mike Starkie, independent elected mayor said the council "had 60 anti-virus systems running and only three of those actually detected that there was anything in the system... none of them picked up actually what it was."

The results of a separate FOI request found that some NHS Trusts were spending as little as 250 on cyber security, despite the Department for Health and Social Care (DHSC) having committed an additional 150 million on NHS cyber security a year after the WannaCry attack.

The average spend on data security training across 159 Trusts surveyed was 5,356 in the last 12 months, but this ranged widely from between 238 and 78,000 with no correlation to the size of Trust, or its location.

It was also revealed in April 2018, a year after the WannaCry attack on NHS systems that not a single NHS Trust passed the NHS's cyber security assessment.

Every single Trust of the 200 assessed failed the cyber security assessment - in some cases because they had failed to apply critical patches to their systems, which is the main reason WannaCry was able to spread so widely in the first place.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.