The NHS v WannaCry: Lessons learned and cybersecurity guidance

How did the breach take place?

Friday 12 May 2017 was a Black Friday in the truest sense of the word – not a day of panic in trying to grab a bargain in discounted sales, but a day that witnessed a global ransomware attack now known as WannaCry. The attack was random and whilst one of the major victims was the NHS, it was certainly not targeted. The cyber-attack affected some 100 countries and in excess of 200,000 computers. The exact numbers and full extent will never be known.

Perhaps more surprisingly the cost to the NHS will also not be known as, despite investigation by the Department of Health and a report from the National Audit Office (NAO), we are informed that the cost is not calculable; much of the data as to the full impact of the attack is seemingly lost or unavailable. If that is true, shoddy systems in place at the NHS can serve as a warning to other organisations, regardless of size and sector.

Those shoddy system included those covering IT and cybersecurity. For a start, the infection by the WannaCry ransomware was entirely avoidable. Every single NHS organisation that was infected had unpatched or unsupported Windows operating systems that enabled virus infection.

System updates went unheeded

Significantly, in March 2017 Microsoft had issued updates that NHS trusts using Windows 7 could have adopted to protect themselves. Further, on 17 March 2017, NHS Digital had issued a CareCERT asking NHS trusts to apply the Microsoft update.  If the Department of Health’s figures are to be relied upon, more than 90% of the devices in the NHS are operating on Windows 7, so that 90% of those devices would have been protected if they had been patched in line with the NHS Digital request.

Trusts running older Windows XP operating systems on devices had been expressly notified that they were to migrate away from their use, yet when the attack came on 12 May 2017, approximately 5% of the NHS was still reliant on an outdated Windows XP operating system. Windows XP can, however, be patched and following the attack, Microsoft issued an XP update that would have prevented the ransomware infection.

This non-targeted ransomware attack was spread via the internet and caught the NHS which was exposed due to its unpatched Windows systems. Even this exposure would not have been fatal had effective firewalls been in place to repel the threat, but there was no such line of defence because firewalls had not been maintained, so that even this basic shield was missing.

Prior to this Black Friday the NHS had no joined up cybersecurity and a culture of woeful non-compliance; as at 12 May 2017 only 88 out of 236 trusts had been subject to a cybersecurity inspection by NHS Digital. Of the 88 inspected not a single trust passed. The inspections were voluntary and CareCERTs requesting updates and other basic cybersecurity measures were treated as being voluntary and largely ignored. The NHS Trusts were silos and the Department of Health had no knowledge of which had complied with the requests. The Department of Health was itself unprepared; it was warned a year before the attack that it was at risk, yet did not provide any written report in response until two months after the attack in July.

Breach response was inadequate

Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having. History tells us that one of the key features of a cyber-attack is the communication blackout that follows. It was Maersk’s lack of preparedness for this blackout that caused such bewilderment when the shipping giant was hit by cyber-attack and the same was true of the NHS.

The very first hurdle, the loss of key communication systems, was not properly prepared for and staff were left scrabbling for personal mobiles in order to try to send WhatsApp messages, subject to the contact being within their personal contact list. Roles, responsibilities and reporting lines were not properly defined, with the result that emergency calls were made to various local, national agencies and emergency services in the uncoordinated disorganised panic that followed the attack.

It is arguably better not to have any breach response plan than one that is merely a box ticking exercise that leads, as here, to complacency and increased confusion when the attack hits. Incident response plans should be tested in a realistic way – there needs to be a drill where systems are not available for use and staff become familiar with how they make contact and with whom, and a step by step means of limiting damage and restoring and recovering systems.

In conclusion, they had a woefully inadequate breach response plan which arguably wasn’t a plan at all but rather an unpractised and ineffective hypothetical policy with which none of the key personnel were sufficiently familiar.

The recovery was aided by a cybersecurity researcher who activated a kill switch; his action prevented WannaCry locking out further systems and devices. That was by luck or intuition rather than design as it was not in pursuit of any implemented national cybersecurity policy; NHS England’s IT department did not even have on call emergency facilities in place so there was a reliance on IT staff attending work voluntarily to assist in fire-fighting.

The National Cyber Security Centre and National Crime Agency also pitched in, assisting the NHS and other affected organisations – it is unclear just how much worse the lines of communication and impact might have been but for that external assistance.

 Lessons learned and cybersecurity guidance

The disjointed structure of the NHS gives little cause for hope. The Department of Health has overall responsibility for cybersecurity but this is delegated to a myriad of trusts, GP Practices and social care providers. History tells us that these organisations do not all march in step and have previously failed to heed warnings or requests. The NHS has now declared “the need to improve the protection from future cyber-attacks” but how will it actually implement such a statement of intent when it comprises silos that are seemingly ungovernable?

A number of key measures that can equally be beneficial to other organisations regardless of size and sector:

• Develop a response plan that can work in practice and is tested. Organisations regularly hold fire drills but rarely hold cyber-attack drills. Test the response plan to ensure it is familiar and that it works.
• Ensure “critical” CareCERT alerts and security updates are implemented
• Ensure essential communications get through during an incident when systems are down.
• Ensure staff and boards take the threat of cyber-attack seriously, work proactively to maximise resilience and reduce the impact on customers. Train staff thoroughly.

The need for a workable, effective breach response plan is critical here. The NAO inquiry report found a cyber-breach response plan had already been developed by the NHS on 12 May when the attack hit. It was not the absence of a plan, but rather the inability to put any plan in to practice, that was at the heart of the failure. That can only be taught through cyber drills that replicate the loss of communication and key system support when an attack takes down those functions.

There needs to be a compliance regime with teeth within organisations to ensure that there are routine checks and sanctions for those who fail to adhere to CareCERTS or other cybersecurity measures that have been identified.

In terms of practical steps, organisations should be setting a minimum number of drill targets, rather like fire drills backed by mandatory inspections; if an organisation fails inspection there should be immediate action to remedy and a follow up test. In the arena of cybersecurity it is deeds, not just words, that matter.

For more information or for advice, contact Professor Dan Hyde at [email protected] or on 07824 482 388.