Parts of the National Health Service were ‘ill-prepared’ for the WannaCry malware in May 2017, and the NHS has still a lot of work to do to improve cyber-security for when, and not if, there is another attack. That’s according to a committee of MPs. The NHS had to cancel almost 20,000 hospital appointments and operations, and patients were diverted from the five accident and emergency departments that were unable to treat them. Yet the NHS was lucky, says the Public Accounts Committee in a report. If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse.
Committee Chair Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS. But the impact on patients and the Service more generally could have been far worse and Government must waste no time in preparing for future cyber attacks — something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.
“Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action. I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.
“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS. Cyber security investment cannot be properly targeted unless this information is collected and understood. There is much important work to do and we urge the Department to provide us with an update by the end of June.
“Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”
Having a sufficiently skilled cyber workforce is a challenge, according to the report. Most NHS bodies could have prevented WannaCry by applying a patch released by Microsoft for Windows 7 (more than 90pc of devices in the NHS use that old and unsupported Windows 7 operating system). NHS Digital had issued CareCERT alerts in March 2017 and April 2017 asking them to apply this patch.
It’s not all gloom; at the very end of the report MPs note that NHS Digital worked closely with the National Cyber Security Centre (NCSC), during and after the WannaCry cyber-attack. The Department of Health told the committee that having a single organisation at the centre of government to work on cyber-security was very helpful. NHS Digital is working with the NCSC and Crown Commercial Service to engage trusted suppliers from outside the NHS who can support the NHS during a cyber-attack.
Comments
Senior member of the IEEE, Prof Steven Furnell, head of IT security at Plymouth University says: “The impact of last year’s WannaCry ransomware incident clearly revealed that hospitals are vulnerable to cyber-attacks. Following on from WannaCry, investment into NHS cybersecurity was clearly needed to not only plug that flaw but others as well. Indeed, in general terms, they need to be concerned about the full range of attacks that are out there, recognising that some (like malware) are essentially indiscriminate, whereas others may be specifically targeted towards the healthcare context.
“While mention of security most readily conjures up thoughts of preventing data disclosure, healthcare is a domain in which the availability and integrity of the systems and data can ultimately present far more pressing concerns than the confidentiality. Of course, we don’t want data to be disclosed and leaked either, but from the patient safety perspective this has typically less of an impact than if treatment and care decisions being offered on the basis of incorrect data, or in the absence of necessary information because systems are not accessible. As such, hospitals represent desirable targets if the aim is to generate fear or undermine confidence.
“Alongside their use of mainstream operating systems and applications, hospitals are also home to a variety of specialist applications, the age of which can sometimes mean they are tied to older OS platforms. This can present a clear challenge for security management and administration; even if the specialist application itself is robust, the need to retain a legacy platform on which to run it means that the overall IT landscape maintained within the organisation remains broader and offers a greater attack surface as a result. Moreover, if the older platform is something like Windows XP or Server 2003 then the severe risk is that the hospital is tied into software that has passed end-of-life, and no longer receives routine support to rectify vulnerabilities that continue to be discovered. The WannaCry incident was a notable exception here, with Microsoft releasing patches for both XP and 2003 once the scale of the problem became apparent. However, these were still retrospective fixes, released long after the patches for supported platforms had been made available, and only once the attacks had already started to have an impact, but more typically these remain untouched and attention is only given to platforms within.”
David Emm, principal security researcher, at IT security product company Kaspersky Lab, said: “In light of the news that all NHS organisations tested have failed their cybersecurity checks, it’s of vital importance that they work closely with their IT security teams to implement sophisticated, high-quality protection that will allow them to manage and protect customer data. Not just for the sake of ‘tick-box’ compliance, or to avoid hefty fines and embarrassing, often irreparable reputational damage, but to enable them and their patients to reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure. However, it is just important that they focus on the basics of security. Applying patches, downloading securing updates and keeping passwords hard to guess are simple practices that can go a long way, but it seems like this isn’t happening among healthcare organisations currently.
“Health data is attractive to criminals, and the interconnected medical devices that we are increasingly seeing present across healthcare institutes are susceptible to the same security risks as traditional IT devices.”
And Tony Pepper, CEO of Egress, a data transfer security product company that works with a number of NHS bodies, called it deeply concerning that little progress has been made to improve IT security in healthcare. “WannaCry was, quite literally, a big shock to the system but given the state that the NHS’s security was in, an incident on that scale was inevitable. WannaCry was not the most sophisticated attack – it was just the first at that level – and, given today’s statements, I’d bet that cyber criminals are working on developing new malicious tactics to outpace safeguards. The NHS cannot afford to drag its feet. Not only is the healthcare industry at risk of becoming a big bullseye for cyber criminals but on a more fundamental level, poor data practices can put the public’s sensitive information at risk day-to-day of misuse, employee errors, and accidental leaks.”
Paul Farrington Director EMEA and APAC Pre-Sales Consultant at CA Veracode, said: “As the industry’s dependency on software continues to grow, cyber criminals will be looking to exploit vulnerable software. In response the NHS must ensure it is working efficiently to be able to respond to these threats in an agile way. Central to this will be a sustained programme of testing for vulnerabilities in their software early – and often.”
Picture by Mark Rowe; outside Guy’s, Southwark, London.
