Features Hub Opinion

Two years on from WannaCry, are NHS trusts just as vulnerable?

Thu 25 Apr 2019 | David Kay

Paucity of funding, shortage of cyber security skills and an enlarged attack surface means the NHS remains at risk, writes David Kay

When the WannaCry ransomware struck in May 2017 many organisations were caught out by what was essentially a patching issue affecting users of various versions of the Microsoft OS.

There was a certain irony attached that this exploit originated with the US National Security Agency and was at that time called EternalBlue. The virus was subsequently put up on the dark web by a group called the Shadow Brokers who then passed it into the hands of malevolent actors. Ironic, indeed, as it’s widely accepted that the WannaCry attack originated in North Korea, a state largely hostile to US interests through its cyber activities.

WannaCry

The attack brought the software known as ransomware into the public domain. WannaCry victims’ data files were encrypted and a bitcoin ransom was demanded by the attackers in order to restore the data to a usable state.

Microsoft hurried out some emergency patches having been warned by the NSA a couple of months in advance of the attack that the ransomware might have fallen into the wrong hands. Within a day of the attack, it was reported that some 230,000 computers had been affected across 150 different countries.

The victims were many. They ranged from Deutsche Bahn, FedEx, Renault and Honda, to the Russian Railways and Saudi Telecom. Many universities and government agencies across the globe were also impacted.

However, perhaps the most high profile victim here in the UK was the NHS. The attack cost the NHS over £90m and resulted in the cancellation of over 19,000 appointments. In total over 70,000 NHS devices were affected, and not just computers; devices such as MRI scanners, blood storage refrigerators and theatre equipment were also said to have been hit.

Over a third of NHS trusts were disrupted by the attack and the NHS was subsequently criticised for running old unpatched versions of Microsoft OS, including the 17-year-old Windows XP which, by the time of the attack, was out of marketing support.

Intensive care

Although around £200m has been earmarked for a technology refresh for the NHS, the fact remains that the NHS is still just as vulnerable, and perhaps even more so given the advent of new technologies.

In the months following WannaCry, the NHS’s cyber practices were rightly scrutinised, and the findings were sobering. A year ago it was revealed that every single NHS trust assessed for cyber security competency failed its resiliency assessment. 200 trusts were audited and no timeline has been given for the remaining 36. At the end of 2018, it was also revealed that 25 percent of NHS trusts had zero cyber security professionals under employment.

The problem is compounded by a wider cyber security skills shortage that affects all sectors. NHS trusts will always struggle to find the necessary skills with which to defend its IT systems as there is a chronic shortage of skills in the market as a whole.

Some commentators say the global cyber security workplace will lack around 2 million skilled professionals by the year 2022 (and those are the more conservative estimates).

“Patients inside and outside of hospital walls are increasingly at risk as facilities and theatres become more connected and remotely accessible”

Clearly, a great deal more money needs to be directed towards the NHS to plug this gaping cyber-gap. But our great national institution is still chronically short of funds to make the necessary investments. New, more sophisticated, attacks could find the NHS vulnerable again. If attacked, similar investigations would follow, the same finger-pointing would ensue, and funding concerns would again be raised. The damage caused, however, could eclipse the havoc wreaked by WannaCry.

The deployment of intelligent and connected medical devices, and the need to treat medical and social care conditions remotely at home is advancing the rise of medical IoT. This suite of technologies is exponentially expanding the potential attack surface against the NHS.

All of us recognise the benefits that remote care can offer – especially to the elderly who seek to retain their independence – but none of us want them to become new channels that expose our most vulnerable to malicious actors. Patients inside and outside of hospital walls are increasingly at risk as facilities and theatres become more connected and remotely accessible. The thought of critical life-saving medical infrastructure and devices being hacked raises natural concerns for us all.

Digital divide

The role of the in house IT strategy body, NHS Digital, is important in defining standards and governance for the cyber security aspects of NHS trusts’ IT infrastructure. NHS Digital has published strong security guidelines for all NHS trusts. They are comprehensive, well-reasoned, but doubtless still not fully implemented across the health service. It was inauspicious that the first ever NHS digital cyber security chief resigned in early 2019 after only three months in his post.

There are nevertheless positive signs on the horizon. NHS Digital signed a three year deal with IBM in 2018 to deliver the new NHS Cyber Security Operations Centre which will be able to monitor systems, provide vulnerability assessments, and deliver threat intelligence to all NHS bodies. However, this service is still two years away from being fully operational.

My advice to NHS trusts right now is to consult further with NHS Digital to address the critical cyber security skills issue. It may well also benefit many trusts to invest in a specialist managed security service to attempt to solve the urgent capital budget and skills problems they all face. At the same time, it would pay dividends if trusts invest in education to form the relevant knowledge and instil a culture of security among staff.