Last Friday the world was stunned. A ransomware program, then largely unknown, took root and paralysed organisations across the globe. As the damage spread, WannaCry quickly became the watchword for cyber-security firms, before moving on to dominate the rolling news cycle and the twittersphere. The impact felt more akin to a full scale terror-attack than a cybercrime, such was the level of hysteria and disruption.
The NHS was one of the worst affected institutions worldwide: around 70,000 devices from computers to MRI scanners were paralysed, surgeries were cancelled, people were turned away from their appointments, and staff were forced to revert to pen and paper. In all, 48 NHS Trusts across England and 13 NHS organisations in Scotland reported difficulties at hospitals.
Since WannaCry reared its head, many questions have been asked: Why is anyone still using Windows XP? Why are Government agencies stockpiling exploits? Why aren’t we spending more on critical technology infrastructure? From these questions, one answer remains clear – WannaCry was spread by our own hand.
Out Of Date Technology
At the heart of this technological crisis lies a human condition. The dated nature of many of the NHS’s computer systems was initially believed to have enabled the virus’ spread, particularly the organisation’s continued reliance on Windows XP. Microsoft stopped supporting the system back in 2014, and shortly after the Government recommended that staff move onto new systems as quickly as possible, as a Department of Health paper reveals.
But a Freedom of Information Request issued by software company Citrix in December 2016 found that 90% of NHS Trusts still run XP on numerous systems. For unknown reasons, recommendations had not been implemented by staff.
But this isn’t a question of searching for a culprit on which to lay the blame. The problem extends across the organisation and many of the NHS services – from training to technology – are simply outdated.
Had workers been given more up-to-date equipment and properly trained on the evolving phishing threats – which are becoming increasingly sophisticated – the attack could have been limited. Security Minister Ben Wallace told Good Morning Britain that a method as simple as an email attachment was the, “most likely form of delivery,” of WannaCry onto the NHS’s network. Symptomatic of this, was the reaction of NHS Wales, which blocked emails from external senders to staff accounts as the outbreak first struck on Friday.
He said: “These types of ransomware are usually effectively disguised. They come in on what looks like a routine email from a friend or someone else. That meant that it spreads incredibly quickly across any organisation that has a large network. Of course, the NHS has a very large network where the computers are on all the time, allowing it to get that momentum.”
Cyber Attack Warnings
UK Defence Secretary Michael Fallon was quick to defect the blame onto Trusts, claiming on The Andrew Marr Show on Sunday that NHS staff were given repeated warnings about the possibility of attack. But Fallon’s comments are indicative of an attitude to shirk responsibility for what should be an intimate relationship between government and infrastructure.
Since the attack, security professionals have weighed in and intimated that the most likely conduit for WannaCry is a loophole in file-sharing networks. The issue had been patched in an update by Microsoft in March, but they believe that a failure to adopt this update, likely spurred by the NHS’ reliance on a number of different computers and operating systems, facilitated WannaCry’s spread.
On Monday Jeremy Corbyn criticised this reliance as a knock-on effect of a lack of funding for services under the Conservative government. Mr Corbyn told the Royal College of Nursing conference in Liverpool: “A&E departments struggling to cope. Waiting lists soaring. And – as we saw last week – the Tory cuts have exposed patient services to cyber-attack. – Our health service is being dismantled by stealth. Over the last seven years, our NHS has been driven into crisis after crisis.”
Funding Not Enough?
Funding is a good start, but it might not be enough. Detailed guidance on threats and updates has to be administered at every level if the NHS is to be adequately protected. This is a problem that goes right to the top. Last year Health Secretary Jeremy Hunt was warned in a joint letter from the Care Quality Commission’s Chief Executive David Behan and the National Data Guardian Dame Fiona Caldicott that ‘as a matter of urgency’ an update to the NHS’s computer systems was needed.
They asked Hunt to ensure that, “no unsupported operating systems, software or internet browsers are used within the IT estate”.
Cloud solutions company Accellion made another startling discovery in December 2015 when they too submitted an FoI request related to tech in the NHS working environment. They found that up to 71% of NHS Trusts in England used smart devices in the workplace, but the same proportion had ‘limited to no training’ surrounding the safeguarding of information on these platforms. 41% of respondents also claimed that they relied on the security of their server, encryption, or the goodwill of fellow members of staff to uphold information security.
Lack Of Innovation
While smart devices were unaffected by WannaCry, Accellion’s findings are indicative of a long-running disconnect between the pace of technology and training in the NHS’ units.
Yorgen Edholm, CEO & President at Accellion, noted: “With a reported 93% of data breaches caused by human error, the integration of smartphones into the UK health service must be properly managed. Data breaches are continuing at an alarming rate, yet a cybersecurity mindset is still not ingrained at every level of the NHS Trusts.”
More recently, last November the NHS’s internal email was plunged into chaos after one staff member hit ‘reply all’ to a message, accidentally sending their response to 840,000 of their colleagues. But the issue was only exacerbated when frustrated workers sent more replies to complain. In a statement released by NHS Digital at the time, they claimed that in an effort to prevent more of a ripple-effect the distribution lists of the emails had to be disabled.
Yorgen concluded: “With the emergence of WYOD (wear your own device) it will become increasingly challenging for NHS Trusts to protect patient information. With the increasing use of wearable devices, employees are going to be the weakest link in the security ecosystem.”
This problem isn’t going to go away, and with the pace of technology the challenges are only set to increase. To stand any hope of making the NHS resilient to attack, security needs to be tackled as an end to end process, one which encompasses systems, processes and people. With all the talk of technological vulnerability, we need to remember that people are a critical element of this equation, and one which needs to be supported if critical infrastructure is to be protected.