Today, we’re diving into the complex world of cybersecurity with Rupert Marais, our in-house security specialist renowned for his expertise in endpoint and device security, cybersecurity strategies, and network management. With a recent claim by the cybercrime group Clop alleging a cyberattack on the UK’s National Health Service (NHS), Rupert joins us to unpack the intricacies of this situation, the challenges of securing massive healthcare systems, and the broader implications for patient safety and data protection.
Can you walk us through the recent claim by the cybercrime group Clop about a cyberattack on the NHS?
Certainly. Clop, a well-known extortion crew, recently added the NHS to their leak site on November 11, claiming they’ve breached the organization. However, they’ve been quite vague, only mentioning the NHS.uk domain without specifying which part of this vast healthcare system was targeted. As of now, they haven’t published any stolen data or concrete evidence to back up their claim, which leaves a lot of questions unanswered about the scope and validity of the alleged attack.
Why does Clop’s lack of specificity about which part of the NHS was targeted create such a challenge?
The NHS isn’t a single entity; it’s a sprawling network of hundreds of organizations operating at national, regional, and local levels. When Clop doesn’t pinpoint which branch or trust they’ve compromised, it’s incredibly difficult to assess the damage or even confirm if an attack happened at all. This vagueness complicates the response process—cybersecurity teams have to investigate across a massive system without a clear starting point, which can delay critical mitigation efforts.
Clop listed the NHS’s revenue as $234 billion in their claim. Can you shed some light on where this number might have come from?
It seems Clop pulled this figure from a very basic source, likely a quick Google search for ‘NHS revenue.’ The number aligns roughly with the Department of Health and Social Care’s 2023/24 budget, though more recent figures show the actual budget is higher by several billion. This reliance on outdated or surface-level data might suggest that Clop’s research—or their understanding of their target—isn’t as thorough as one might expect from a sophisticated cybercrime group.
How has NHS England responded to these claims so far?
NHS England has taken a cautious stance. They’ve acknowledged that the NHS was listed on Clop’s leak site as a target of a cyberattack, but they haven’t confirmed or denied whether a breach actually occurred. Their cybersecurity team is collaborating closely with the National Cyber Security Centre to investigate the claim. It’s a measured response, focusing on verification before making any definitive statements, which is critical to avoid unnecessary panic or misinformation.
Given that the NHS is underfunded and has a policy against paying ransoms, how does this impact Clop’s strategy?
It significantly lowers Clop’s chances of getting a financial payout. The NHS’s stance on not paying ransoms is well-known, and their budget constraints make it even less likely they’d bend on this policy. However, groups like Clop often target organizations like the NHS not just for direct ransom but for other gains—such as selling stolen data on the dark web or using the breach as leverage for future attacks. The mere threat of exposure can also damage public trust, which might be part of their broader goal.
What is it about the NHS that makes it such an appealing target for cybercriminals like Clop?
The NHS is a prime target for several reasons. First, it’s enormous—often cited as the largest employer in Europe—with critical systems that millions of people rely on for life-saving care. Disrupting those systems can create chaos, which gives attackers leverage. Second, the NHS holds vast amounts of sensitive patient data, from medical histories to personal identifiers, which is incredibly valuable on the black market. That combination of scale, criticality, and data wealth makes it a magnet for cybercrime.
How do past cyberattacks on the NHS inform our understanding of the current situation with Clop?
The NHS has been targeted multiple times over the years by various cybercrime groups, so this isn’t a new phenomenon. Past incidents, like ransomware attacks on suppliers or trusts, have shown how disruptive these breaches can be, often leading to patient harm rather than financial gain for the attackers. These events highlight the NHS’s vulnerability due to its reliance on interconnected, sometimes outdated systems, and underscore why attackers keep coming back despite the no-ransom policy. Each attack also provides lessons on gaps in security that need addressing.
What steps do you think healthcare organizations like the NHS should prioritize to better protect against threats like this?
Healthcare organizations must focus on a multi-layered defense strategy. First, they need robust endpoint security to protect devices across their networks, given how many entry points exist in a system as large as the NHS. Regular patching and updates are crucial, especially for known vulnerabilities like those in software such as Oracle E-Business Suite, which Clop has exploited elsewhere. Additionally, investing in employee training to recognize phishing and other social engineering tactics is key, as human error often opens the door for attackers. Finally, having a strong incident response plan—tested regularly—can minimize damage if a breach occurs.
Looking ahead, what is your forecast for the future of cybersecurity threats targeting healthcare systems like the NHS?
I expect healthcare systems to remain prime targets for cybercriminals in the coming years. As healthcare becomes more digitized—with electronic records, telemedicine, and connected medical devices—the attack surface will only grow. Ransomware will continue to evolve, with groups like Clop likely focusing on double or triple extortion tactics, where they not only lock systems but also threaten to leak data or target patients directly. On the flip side, I hope to see stronger regulations and international cooperation to combat these threats, alongside increased funding for cybersecurity in public health sectors. But it’s going to be an ongoing battle, and organizations like the NHS will need to stay vigilant and proactive to keep pace with increasingly sophisticated attackers.
