NHS WannaCrypt postmortem: Outbreak blamed on lack of accountability

Plus systemic underspending in IT. Imagine that

A lack of accountability and investment in cyber-security has been blamed for the recent WannaCrypt virus that hobbled multiple hospital NHS IT systems last month in England, a report by The Chartered Institute for IT concludes.

The report, published today, comes following a similar, but more limited attack against UK-based companies as the result of the spread of the NotPetya ransomware earlier this week.

Whilst doing their best with the limited resources available, the Chartered Institute for IT report suggests some hospital IT teams lacked access to "trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose".

The healthcare sector has struggled to keep pace with cyber-security best practice thanks in large part to a systemic lack of investment. The WannaCrypt attack was an accident waiting to happen, according to David Evans, director of community & policy at The Chartered Institute for IT.

"Unfortunately, without the necessary IT professionals, proper investment and training the damage caused by the WannaCrypt ransomware virus was an inevitability, but with the roadmap we are releasing today, will make it less likely that such an attack will have the same impact in the future," Evans said.

The Chartered Institute of IT has joined forces with the Patient’s Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take to avoid another crippling cyber-attack. Employing accredited IT professionals tops the list. The NHS board is being urged to ensure it understands its responsibilities, and how to make use of registered cyber security experts. The number of properly qualified and registered IT professionals needs to be increased, the report recommends.

Almost 50 NHS Trusts were hit by the WannaCrypt cyber-attack that left infected computers with encrypted files and at least temporarily unusable in many areas of the health service. The outbreak led to operations and appointments being cancelled or postponed.

The issue of how to improve security in the NHS following the WannaCrypt outbreak has been raised in Parliament. In response to a written question, junior Department of Health minister Jackie Doyle-Price said a review of the cyber attack was under way. Emergency measures specifically allocated to deal with last month's NHS ransomware attack cost £180,000. The government is making cyber-security a requirement of health service contracts, she added.

We have changed the National Health Service standard contract to include, from April 2017, cyber security requirements.

Evidence shows that the use of unsupported systems is continuing to reduce in health and care, as organisations replace older hardware. Latest estimates suggest the usage of Windows XP in the NHS has reduced from 15-18% at December 2015, to 4.7% of systems currently.

The 12 May 2017 ransomware incident affected the NHS in the United Kingdom. It is standard practice to review any major incident in the NHS. Further, the Chief Information Officer for health and care is undertaking a review into the May 2017 cyber-attack which is expected to conclude in the autumn.

The identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000. These costs were borne by NHS Digital and NHS England from internal budgets. Information relating to any expenditure incurred by individual local NHS trusts or other NHS organisations is not collected centrally.

There was a lot of focus on the NHS's reliance on obsolete Windows XP systems in the aftermath of the WannaCrypt outbreak. However post-hack technical analysis revealed that Windows XP systems were more likely to crash than get infected. Some Win XP systems did nonetheless get pwned, but in any case they weren't a vector in the spread of the cyber-pathogen. Windows 7 systems left unpatched against the leaked EternalBlue NSA exploits at the centre of the outbreak were a much bigger problem, it transpired.

The state of preparedness for online attacks in the NHS reflects those of the public sector more generally. Just over half (53 per cent) of local authorities across the UK are prepared to deal with a cyber-attack, according to a separate survey of over 100 council leaders by management consultancy PwC. Only a third (35 per cent) of local authority leaders are confident that their staff are well equipped to deal with cyber threats. ®


Biting the hand that feeds IT © 1998–2017