The Department of Health (DoH) was warned about the risks of cyber attacks on the NHS, a year before the WannaCry virus hit hospitals so badly that it had to cancel thousands of appointments; and five NHS trusts, in London, Essex, Hertfordshire, Hampshire and Cumbria, had to divert patients to other accident and emergency departments. Of 236 trusts in total, 37 were infected and locked out of devices, according to a National Audit Office report.
For the full 52-page report, visit the NAO website.
Separately, as featured in the August 2017 print issue of Professional Security magazine, NHS institutions will still be using unsupported IT systems for months, despite recent high profile ransomware attacks that some hospitals closed and in chaos, the Government has admitted. In its response to two data reviews in the summer, the UK Government said that it will support the NHS locally to ‘ensure they are identifying and moving away from, or actively managing, any unsupported systems by April 2018’.
The DoH and Cabinet Office wrote to trusts in 2014, saying it was essential they had ‘robust plans’ to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before Friday, May 12, the day that the malware hit the world, the Department had no formal mechanism for assessing whether local NHS bodies had complied with their advice and guidance and whether they were prepared for a cyber attack.
Amyas Morse, head of the National Audit Office, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill-switch’, the report points out. The attack led to disruption in at least 34pc of trusts in England although the Department and NHS England could not tell the NAO not know the full extent of the disruption. As the NHS had not rehearsed for a national cyber attack it was not
immediately clear who should lead the response. As for communicating, NHS Improvement did communicate with trusts’ Chief Executive Officers by telephone. The NAO found that communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut their email systems as a precaution. Though not an official ways of communicating, personal mobile devices, including using the encrypted WhatsApp application worked well in the crisis, according to the report.
On May 12, NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware. At least 81 out of 236 trusts across England were affected. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices. However, the DoH does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust. NHS Digital told the audit body that it believes no patient data were compromised or stolen.
Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments. Between May 12 and 18, NHS England collected some information on cancelled appointments, to help it manage the incident, but this did not include all types of appointment. NHS England identified 6,912 appointments had been cancelled, and estimated over 19,000 appointments would have been cancelled in total. Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients.
The DoH, NHS England and the National Crime Agency told the NAO that no NHS organisation paid the ransom, but the DoH does not know how much the disruption to services cost the NHS. Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack. National and local NHS staff worked overtime including over the weekend of May 13 and 14 to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday, May 15.
Between May 15 and mid-September NHS Digital and NHS England identified a further 92 bodies, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity. Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands and East NHS region. NHS England believe more organisations were infected in these regions because they were hit early on May 12 before the WannaCry ‘kill switch’ was activated.
The DoH had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level. As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.
NHS England initially focused on maintaining emergency care. Since the attack occurred on a Friday it caused minimal disruption to primary care services, which tend to be closed over the weekend. Some 22 of the 27 infected acute trusts managed to continue treating urgent and emergency patients throughout the weekend. By Tuesday, May 16 only two hospitals were still diverting patients. The recovery was helped by the work of the cyber security researcher that stopped WannaCry spreading.
NHS Digital told the auditors that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
The NHS accepted that there were ‘lessons to learn’ from WannaCry. NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls.
Picture by Mark Rowe: hospital door access, Leicester.
Comments
Gavin Millard – Technical Director of Tenable, said: “In theory, Wannacry could have been easily prevented by deploying a freely available patch and restricting or removing a ubiquitous service called SMB from Windows systems that couldn’t be updated. In reality though, due to the complex networks in place, overlapping ownership of devices and systems that can’t be updated due to contractual issues with the suppliers, this was far from trivial to accomplish.
“To be resilient to further attacks of this nature, each of the NHS trusts has to ensure foundational security controls are in place and identify where improvements are needed. The UK government has already defined controls every critical infrastructure should follow with schemes such as Cyber Essentials and NIS. But to implement these guidelines effectively, investment is required into a public sector that is already severely lacking funds.”
Paul Farrington, Manager, EMEA Solution Architects, Veracode, said: “As our dependency on software grows, attacks like these from cyber criminals will also continue to increase. But for organisations such as the NHS, these attacks are more than just a case of reputational damage – they can also have fatal consequences. To prevent cyber-attacks of this scale, not only does the NHS need to apply critical cyber-security updates but it must have effective leadership in this area so that when an attack strikes it is dealt with speedily and effectively.”
And Russell Crampin, UK managing director, Axians said: “Network security is just as much a question of strategy, process and, perhaps most importantly, user education, as it is investing in the appropriate technologies. The extent of damage dealt to the NHS by the relatively unsophisticated WannaCry ransomware attack is a great example of this.
“It’s essential to factor security in from the very beginning, and not just throw money at firewalls. Businesses should identify any potential data risks, look at the implications of changes in legislation and the fines that could result, impact on brand and responsibilities of directors at the very beginning of any design. The variety of structured and unstructured attacks that cybercriminals can deploy has increased, and with it, threats relating to cybersecurity are growing. With a constantly changing threat landscape, businesses must stay fully informed and prepared.
“Our recommendation would be to look at the existing network, ensure that the design is future focused and look at the type of services customers will be demanding over the next three to five years. From this, plan upgrades to move towards this capability with security being the first priority.”
Andrew Clarke, EMEA Director at One Identity said: “Often we see cases where the organisation gets impacted by an attack – ransomware being the most reported – and afterwards we hear that the issue has been ignored, advice has been misunderstood or there has been a lack of visibility into whether or not the advice has been implemented comprehensively. This is not just about the NHS, as for example in the recent case of Equifax we heard afterwards that a security notification regarding Adobe Struts application had not been applied thoroughly.
“In many cases the organisation does not have an inventory of all operating systems and applications that need to be patched – which makes the challenging task of patching even harder – a robust patch management system would aid that. In the case of NHS, we do know that Windows XP systems were still in place and that Microsoft is no longer maintaining that operating system. So by continuing to use it, the door was always open for an attack to be successful given that vulnerabilities are emerging all the time.
“However, one of the factors at the NHS that we must consider is that some of the specific medical equipment being used was only every designed to run Windows XP – so in that case the options are limited. What could have been done better was the compartmentalization of environments that were known to be running older software so that if they did get impacted, the damage could be limited. This would have required internal firewalls and mirroring best practices that have been adopted by more sensitive IT installations.
“Authentication measures that step beyond passwords and embrace multi-factor authentication are a positive step in the right direction in controlling access. Beyond the basic IT security measures that can be adopted, some of the more recent innovations around identity and access management need to be in place in the NHS.
“We know that the security basics are important and the NHS cyber security strategy has focused on securing the wider enterprise having implemented core infrastructure security components such as Firewalls; Intrusion Detection and Malware prevention, but it is now about ensuring their security coverage really stops this new wave of malware while also enabling them to operate effectively.”
