The NHS WannaCry attack - what have we learned & the future?
The national audit office has recently published a report on the global ransomware attack, known as WannaCry, which affected more than 200,000 computers across 100 countries. In the UK the attack mainly affected the NHS, and declared the cyber attack a major incident. It affected 81 trusts, 603 primary care & other organisations, including 595 GP practises across England. This was the largest attack ever seen on the NHS.
All infected organisations shared the same vulnerability, which was unpatched or unsupported windows operating systems, susceptible to ransomware attack. A warning was issued in 2014 to move away from old operating systems, such as Windows XP, and NHS digital issued critical alerts in the two months before WannaCry to patch their systems. If organisations had taken steps to manage their firewalls, this would have guarded organisations against infection.
It is not possible to eliminate all cyber threats but organisations can prevent harm through good cyber-security. Such practice includes maintaining up-to-date firewalls and anti-virus software, and applying patches (updates) in a timely manner. NHS England’s view is that WannaCry infected some parts of the NHS mainly because organisations had failed to maintain good cyber-security practices.
So what was the disruption:
Thousands of appointments cancelled including patient operations
NHS organisations unable to access records
Delays in receiving test results from infected trusts
Patients diverted from A&E’s from infected trusts
It is unknown the cost this had on the NHS, plus the additional cost of IT support & consultancy in restoring data systems & lost data. The cost would have been significantly more if a kill switch hadn’t been activated when it was.
Although the Department of Health had undertaken a review on cyber security in the NHS, the report was not published until after WannaCry. In July “Your data: better Security, better choices, better care” was published. One of the recommendations is that all health and social care organisations should provide evidence that they are taking action to improve cyber security, such as through the government’s Cyber Essentials scheme.
What is cyber essentials & how can it support NHS organisations:
Cyber essentials is a government sponsored cyber security standard, certified & endorsed by the NCSC (National Cyber Security Centre), designed to help make the UK a safer place to do business online.
Cyber Essentials sets out 5 basic security measures which will defend organisations against 88% of known cyber attacks. It is based on the NCSC’s 10 steps to cyber security, which the NHS has embedded in the NHS contract for 2017-18.
In the case of the NHS Wannacry attack, proper application of the “Patch Management” step of Cyber Essentials would have successfully defended the affected trusts from this attack.
For further information about Cyber essentials please visit here.