Paucity of funding, shortage of cyber security skills and an enlarged attack surface means the NHS remains at risk, writes David Kay
When the WannaCry ransomware struck in May 2017 many organisations were caught out by what was essentially a patching issue affecting users of various versions of the Microsoft OS.
There was a certain irony attached that this exploit originated with the US National Security Agency and was at that time called EternalBlue. The virus was subsequently put up on the dark web by a group called the Shadow Brokers who then passed it into the hands of malevolent actors. Ironic, indeed, as it’s widely accepted that the WannaCry attack originated in North Korea, a state largely hostile to US interests through its cyber activities.
The attack brought the software known as ransomware into the public domain. WannaCry victims’ data files were encrypted and a bitcoin ransom was demanded by the attackers in order to restore the data to a usable state.
Microsoft hurried out some emergency patches having been warned by the NSA a couple of months in advance of the attack that the ransomware might have fallen into the wrong hands. Within a day of the attack, it was reported that some 230,000 computers had been affected across 150 different countries.
The victims were many. They ranged from Deutsche Bahn, FedEx, Renault and Honda, to the Russian Railways and Saudi Telecom. Many universities and government agencies across the globe were also impacted.
However, perhaps the most high profile victim here in the UK was the NHS. The attack cost the NHS over £90m and resulted in the cancellation of over 19,000 appointments. In total over 70,000 NHS devices were affected, and not just computers; devices such as MRI scanners, blood storage refrigerators and theatre equipment were also said to have been hit.
Over a third of NHS trusts were disrupted by the attack and the NHS was subsequently criticised for running old unpatched versions of Microsoft OS, including the 17-year-old Windows XP which, by the time of the attack, was out of marketing support.
Although around £200m has been earmarked for a technology refresh for the NHS, the fact remains that the NHS is still just as vulnerable, and perhaps even more so given the advent of new technologies.
In the months following WannaCry, the NHS’s cyber practices were rightly scrutinised, and the findings were sobering. A year ago it was revealed that every single NHS trust assessed for cyber security competency failed its resiliency assessment. 200 trusts were audited and no timeline has been given for the remaining 36. At the end of 2018, it was also revealed that 25 percent of NHS trusts had zero cyber security professionals under employment.