In an arms race with the bad guys

27 Oct 17

The NHS learnt a lot about its defences during the WannaCry attack. It must now get ready for something more sophisticated, says John Thornton.

The WannaCry ransomware attack this year was the largest cyber incident ever to hit the NHS. While it wasn’t targeted at the NHS, it caused widespread disruption and reputational damage. Hospitals and GP surgeries had to turn patients away, cancel appointments and postpone operations.

In total, over 300,000 computers were infected in 150 countries. In the UK, the NHS was the most high-profile organisation affected and, in the days following the attack, there was a lot of understandable criticism of national bodies, NHS managers and the government.

Senior managers at NHS Digital describe WannaCry as the best (albeit unwanted) learning experience the NHS could have in terms of testing their plans and processes. Their “war room” was established within 60 minutes and most of the processes clicked into place. However, the attack exposed weaknesses in investment decisions, patching, communications and coordination.

The King’s Fund said the attack exposed the “deprioritisation” of IT and cybersecurity investment nationally and locally. It added that the government had conflated data security with policy about data sharing and consent, which reinforced the idea that security is primarily about privacy rather than patient safety.

Cybersecurity was characterised as a “governance risk”, which meant the risks associated with systems being made unusable by cyberattacks took a back seat to privacy. The government has since said it will invest an additional £50m in NHS data and cyber security.

WannaCry exploited a known vulnerability. All NHS organisations had been offered a software patch that would have prevented the attack, but many had not applied it. Only 47 NHS bodies were directly affected but the cyberattack had a wider impact as trusts and clinical commissioning groups shut down their systems as a precaution, with many GPs switching off systems on the advice of CCGs. As a result, many patients were unable to access healthcare as records, appointment systems and medical equipment were unavailable.

All NHS bodies have been reminded by CareCERT, the NHS Computer Emergency Response Team, about keeping patching up to date and operating high standards of cyber hygiene.

At a recent cyber conference, a senior representative from NHS Digital said that perhaps the most significant learning point was the need for a more prompt response in the first 60 minutes of an incident. Obviously, it’s difficult to give advice while you are trying to work out what is going on. But you do need to be immediately visible, communicating and coordinating. As he explained, it is difficult to update and coordinate organisations that have shut down their email systems. At the same time, the press and social media are moving into overdrive. Everyone involved in major incidents needs to be able to respond to the multiple communication channels and the speed at which information (true or false) ricochets around such incidents.

WannaCry was a fairly unsophisticated attack that was not aimed at the NHS. As one ICT director put it, the NHS is now in an arms race with the bad guys. What would have happened if a sophisticated attacker had specifically tried to bring down the NHS or steal the vast amounts of valuable personal data it holds?

  • John Thornton
    John Thornton

    John Thornton is the Director of e-ssential Resources and an independent adviser on business transformation, financial management and innovation.

Did you enjoy this article?