This site is intended for health professionals only

Everything you need to know about Orangeworm

8 May 2018

Share this article

On 12 May 2017, the global WannaCry ransomware attack targeted the NHS. 
As a result:
• More than 200,000 computers were affected in 100 countries
• Almost 20,000 hospital appointments were cancelled
• 80 of 236 trusts suffered disruption in England 
• 603 NHS organisations including 595 GP practices were infected 
Almost a year after the attack, software company Symantec has identified a new threat to the NHS IT infrastructure.  
What is Orangeworm?
A group operating under the name Orangeworm has been targeting large international corporations in the United States, Europe – including 4% in the UK – and Asia.
With victims such as healthcare providers, pharmaceuticals and IT solution providers for healthcare and equipment manufacturers, the healthcare sector is its primary target, representing 39%. 
First identified in 2015, Orangeworm uses a Trojan horse, which has the potential to open a back door on the compromised computer, get remote access, gather information and download malicious files. 
Smartphone company Blackberry global healthcare industry lead and former nurse Sara Jost believes that the healthcare industry’s vulnerability is due to the ‘lack of IT experts and cyber security being seen as an afterthought’.
She says: ‘Care providers are targeted by cybercriminals with greater frequency than any other organisation. And thanks to old equipment and flagging security standards, these attacks find success far more often than they should.
‘From a criminal’s perspective, healthcare records are a golden goose. They contain all the information necessary for medical identity fraud, an extremely lucrative crime. 
‘Ensuring health data is safe from people who’d misuse it is just as much a part of effective patient care as efficient treatment.’
Healthcare security still lags behind other industries. According to a 2015 PricewaterhouseCoopers (PwC) report, it is more profitable for a criminal to sell medical data on the black market than stolen credit cards. 
For example, a ‘complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 (£740) each’ while health insurance credentials alone can bring in $20 (£15) each, compared to $1 (74 pence) for a payment card.
What is being done to prevent further cyber attacks?
Following the attack, the Department of Health and Social Care (DHSC) invested £60m to tackle ‘key cyber security weaknesses’.
Additionally, a further £150m will be invested over the next two years to improve resilience alongside setting up a new National Secure Operations Centre (NCSC) to be better able to prevent, detect and respond to similar incidents. 
A recent multi-million deal with Microsoft will also give all NHS organisations the possibility to use Windows 10 and an advanced threat protection to instantly spot and respond to any arising issues. 
What can organisations do?
According to the UK Government agency National Cyber Security Centre, the following measures can help to limit the impact of a ransomware attack.
• Evaluating shared network permissions. System administrators with high levels of access should avoid using their admin accounts for email and web browsing.
• Limiting access to data and file systems to those with a business need to use them. 
• Having a back up of data. 
• Preventing all macros from executing, unless you have explicitly trusted them, and ensuring users do not have privileges to install software on their devices without the authorisation of an administrator. 
• Filtering web browsing traffic by using a security appliance or service to proxy the outgoing web browsing traffic. 
• Controlling removable media access.