Firstly it’s safe to say that the overused trope of NHS managers being at fault in allowing this attack to get through is certainly way off.
You only need to look at the number and list of other companies hit by this particular attack; FedEx, Renault, Telefonica, China National Petroleum Corp, the Indian State Police and Deutsche Bahn to name but a few, to realise this is a global problem and not only a NHS one.
It’s also easy to glibly state that a simple patch would have protected a trust but what isn’t simple is managing a large and complex IT infrastructure and estate including a wide array of technologies run on a multitude of operating systems and software all dealing with patches and upgrades in a significantly different way.
There may be many, often complex reasons why an NHS trust or any of the companies hit by the WannaCry ransomware attack didn’t install one specific patch. Their priority is to maintain services, not put them at risk.
It’s immensely important to emphasise that all organisations need to focus on prevention, but realise that prevention will never be enough. There will always be ransomware, or other malware, that is one step ahead and will get through the best of security systems. There will always be a need to focus on keeping systems up to date and on using the best security in preventing as many attacks as possible, but just as important is knowing what to do when one gets through the defences.
In many ways the NHS is ahead of other industries here as we’ve been planning how to deal with major incidents like this for a very long time. Business continuity and disaster recovery plans were implemented swiftly and comprehensively in those trusts affected last week when it became clear what had happened and these were well rehearsed thought out plans designed to minimise disruption to patients and ensure continuity of each trusts’ services.
And they worked.
Not only did they work but they were appropriate to the level of risk and exposure that each individual trust was exposed to. From a full blown silver command set up to some trusts taking down specific systems; each of the affected trusts had a measured controlled response that minimised downtime and disruption for patients.
Naturally the impact of this incident was amplified due to the nature of what the NHS delivers and it is therefore easy to miss just how sophisticated and comprehensive the response actually was.
Over the coming weeks all trusts, and clearly most businesses, will be reviewing just how secure and up to date their current IT systems are, particularly against the cyber criminal’s current preferred weapon of ransomware.
Inevitably this will shine a light on what in some places is an ageing IT infrastructure in the NHS and how constraints on capital spending in recent years have hindered efforts to keep pace with technological change.
However in all of this we do know that if, and more likely when another cyber attack successfully breaches our defences, the NHS will be ready and equipped to deal with the consequences and continue to deliver the quality care it always does.
