NHS Cyberattacks - One Year On
One Friday in May 2017, the NHS fell victim to the largest single cyberattack in its history. It’s still not clear whether WannaCry was an attempt to extort money from the NHS or just to cause as much disruption as possible.
We are told that no one in the organisation paid the £230 ransom demanded to unlock each machine that the virus had infected, and that no patient data was compromised or stolen.
However, we also know that the attack caused costly disruption at a third of NHS trusts and an estimated 19,000 people had to have their appointments or operations cancelled.
Potentially, the attack could have been far worse.
For all its impact, a subsequent investigation found the attack was predictable and preventable, had the NHS applied stricter cyber security measures.
The NHS had suffered dozens of less severe cyberattacks in the years before WannaCry and it had been warned that it was susceptible due to its reliance on older Windows XP software.
Action was being taken - just one month before, NHS Digital had issued critical alerts warning the organisation to ensure all its security software patches were up to date, in order to prevent an attack like WannaCry.
Despite that, after the attack we were told that many of the 81 trusts and almost 600 GP practices affected either had unpatched, or unsupported, Windows operating systems, which made them vulnerable.
Vulnerable to attack
Patching the systems would undoubtedly have guarded them against infection, but so too would relatively simple action to manage each system’s firewalls facing the internet.
While the Department of Health and Social Care had also developed a plan for responding to a cyberattack, it had not been fully tested and there was still some confusion over who should lead the response, which was exacerbated by communication problems caused by the attack.
So, with the benefit of hindsight, we look back at what went wrong and ask, what would happen if another similar attack hit the NHS today?
The NHS’ response after the attack has been swift and transparent, with an admission that the organisation had important lessons to learn.
NHS Digital provided 24/7 specialist support and issued a number of bulletins to guide and reassure staff with cyber security responsibilities, helping them respond effectively to the threat against information security.
Real-time monitoring of national NHS IT systems was backed up by cyber security testing and training.
NHS England then wrote to every major health body asking them to confirm they had implemented all alerts issued by NHS Digital between March and May 2017, and taken essential action to secure their local firewalls.
A new Guide to Patching was published, which provided updated recommendations and more detailed guidance on how to apply patches to operating systems locally.
So, we can see that, by taking some relatively simple steps, the NHS is now far more resilient than it was, but the important lesson to learn is that the threat of cyberattack remains a very real and serious one.
Upgrading awareness
Going forward, we can’t afford to take our eye off the ball again.
When new technology is commissioned and installed, security must be a top priority.
That includes printer networks, which can often be overlooked and should be afforded the same level of security attention as the rest of your IT infrastructure.
IT managers need to ensure systems comply with the globally recognised standard for information security management systems ISO 27001:2013, as well as the Advanced Encryption Standard (AES), which is used by governments to encrypt sensitive data.
One year on, we’ve seen how WannaCry has resulted in an elevated awareness of security within the NHS.
Sadly, we can predict that the NHS is only likely to come under attack again, but with the organisation’s IT community now primed to act and with security being built into systems at every level, the NHS is no longer the easy target that it once was.
Find out more about the Brother’s healthcare solutions.