WannaCry report shows NHS chiefs knew of security danger, but management took no action

More broadly, it has become clear that decentralization has left NHS cybersecurity very exposed when under attack. NHS Digital provides alerts and patches, of course, but there appears to be no mechanism for anyone to check, let alone enforce, that they are implemented. In any case, security alerts run a risk of being drowned in the stream of “cry wolf” messages from the cybersecurity industry. The NHS trust boards take little ownership of cybersecurity matters, and are not being held accountable because the Care Quality Commission, the NHS regulator, has not included it in their inspections.

The official reaction from NHS Digital to the report was brief – no wonder, as it emerges from the affair having performed what was expected of it. NHS Digital offered on-site cybersecurity assessments at 88 NHS trusts in the years before the WannaCry incident, failing all of them. But without powers of enforcement, it was unable to press for the changes and preventative measures required to improve security. NHS Digital’s own review of the WannaCry incident (as mentioned in the NAO report) had established that most trusts did not even think that cybersecurity was a risk to patient outcomes – a naive and dangerous view in an organization heavily dependent on integrated digital systems.

No one left holding the reins
The NAO report acknowledges that NHS trusts could not be blamed for some of the missing software updates. Some medical instruments such as MRI scanners are controlled by software written for old and unsupported versions of Windows, for example, or in some cases by companies that have since gone out of business. Decoupling these machines from the network would solve the most immediate cybersecurity problems, but at the expense of complicating their use and increasing the chance of human error. Neither the NAO nor NHS Digital appear to have a solution yet.

For small NHS organizations, such as individual GP practices, there is likely to be an issue of resources. Who will have the time, and at what point in their already full working day, to ensure computers are updated? Should the many NHS receptionists wait for their Windows updates to complete at the start of their day, or help their patients?

If the lack of resources doesn’t already point at government underfunding of the NHS, the report certainly points to failures at the national level, to NHS England and the Department of Health. Provided with cybersecurity recommendations by both the National Data Guardian and the Care Quality Commission by July 2016, neither body responded until July 2017, months after WannaCry. The urgent need for effective, national-level cybersecurity incident planning in such a decentralized system as the NHS must be clear by now.

The NHS was spared the full impact of a cyber-attack this time, mainly because the technical solution – a “kill-switch” in the ransomware – was quickly discovered by MalwareTech researcher Marcus Hutchins. Next time the NHS might not be so lucky, though new research has been commissioned to this end. Projects such as EPSRC EMPHASIS will look at not only the technical aspects of ransomware attacks, but also their economic, psychological and social aspects to obtain a more rounded understanding of Ransomware.

Not only will this interdisciplinary approach will increase our understanding of ransomware attacks, but it will also help us to quickly ascertain whether or not the attack is socially engineered – triggered by users opening attachments or clicking on infected web sites – or triggered through technological means such as by a worm, as was the case with WannaCry and not-Petya – the latter seeking to disrupt and destructively wipe data without even attempting to extort money. It’s also important to understand the new means of payments via cryptocurrencies such as bitcoin, because ransomware is usually crime of extortion. With a better understanding of our attackers and their motivations we will be better placed to defend against them.

Eerke Boiten is Professor of Cyber Security, School of Computer Science and Informatics, De Montfort University. David S. Wall is Professor of Criminology, University of Leeds. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).