“We continue to monitor all 1.41 million NHSmail accounts for suspicious activity and evolving security threats”
Some 113 NHS email accounts were compromised by phishing emails last month, the NHS has admitted.
The attack came amid a large-scale, ongoing phishing campaign across the UK targeting multiple sectors.
Due to the potential compromise of sensitive data like patient medical records, a breach of any kind on NHS end-points is of serious concern; all affected accounts have been isolated.
A spokesperson for NHS Digital played down the incident, saying: “There is currently no evidence to suggest that patient records have been accessed. We are working closely with the National Cyber Security Centre, who are investigating a widespread phishing campaign against a broad range of organisations across the UK.”
“This has affected a very small proportion of NHS email accounts.”
“We are investigating this issue and have taken the precaution of asking all mailboxes that have a similar configuration to the compromised accounts to change their passwords with immediate effect.”
(Any NHS security compromise inevitably conjures up memories of 2017’s devastating WannaCry attack. Experts say the NHS’s security has improved markedly since then, but soft spots remain).
NHS Email Accounts Hacked
The sensitive data that the NHS has access to is of real value not just to hackers, but also to commercial or state actors.
To mitigate the risk to its patients and employees the NHS has worked with the NCSC to implement new security guidelines across the NHS.
Using a range of security techniques, such as reducing the organisation’s overall reliance on passwords, to implementing multi-factor authentication and single sign-on systems, the NHS has witnessed a 94 percent decrease in phishing incidents within the last year.
The NCSC issued a warning in 2018 about a campaign that has continued to this day, with a sharp spike of attacks again noted in October 2019.
The agency said at the time: “The NCSC is aware that victim accounts have been compromised without a user actually entering any credentials. It is possible that the actor has used password spraying to gain access.
“Following compromise, the actors access the accounts remotely (via IMAP) to monitor the victim mailbox and observe the sent items. The account is then accessed a second time to disseminate this phishing email further (via SMTP), using the victim’s address book identified in the previous access.”