UK Health Service Should Have Prevented WannaCry Attack

NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said.
 
More than a third of trusts in England were disrupted by the WannaCry ransomware, according to the UK National Audit Office (NAO).
 
At least 6,900 NHS appointments were cancelled as a result of the attack. NHS England said no patient data had been compromised or stolen and praised the staff response.The NAO chief said the Department of Health and the NHS must now "get their act together".
 
WannaCry, which spread to more than 150 countries in a worldwide ransomware outbreak beginning on 12 May, was the biggest cyber-attack to have hit the NHS to date. The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230 ($300). The NAO report said there was no evidence that any NHS organisation paid the ransom, but the financial cost of the incident remained unknown. An assessment of 88 out of 236 trusts by NHS Digital before the attack found that none passed the required cyber-security standards.
 
The report said NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. The Department of Health also lacked important information, the report said. "Before 12 May 2017, the department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance."
 
Organisations could also have better managed their computers' firewalls - but in many cases they did not, it said.
NHS organisations have not reported any cases of harm to patients or of their data being stolen as a result of WannaCry.
NHS England has identified 6,912 appointments - including operations - that were cancelled as a direct result of the ransomware.
 
It estimated that about 19,000 appointments in total may have been affected. Cases included at least 139 people potentially with cancer, who had urgent referrals cancelled. It is not known: 
  • how many GP appointments were cancelled
  • how many ambulances and individuals were diverted from five accident and emergency departments unable to treat some patients
  • how many trusts or GPs experienced delays in information, such as test results
The NAO credits the widely reported work of cyber-security researcher Marcus Hutchins, who accidentally helped to stop the spread of WannaCry. His "kill switch" involved registering a domain name linked to the malware, which deactivated the program's ability to spread automatically.
 
Home Office Minister Ben Wallace was reported to say that the government was "as sure as possible" that North Korea was behind the attack."This attack, we believe quite strongly that it came from a foreign state," he said. "It is widely believed in the community and across a number of countries that North Korea [took on] this role". Former chairman of NHS Digital, Kingsley Manning, said that a failure to upgrade old computer systems at a local level within the NHS had contributed to the rapid spread of the malware. He said: "The problem with cyber security for the NHS is [that] it has a particular vulnerability... It's very interconnected so if you get an attack in one place it tends to spread." Mr Manning blamed a lack of time and resources but also "frankly a lack of focus, a lack of taking it seriously" for individual NHS organisations' failure to keep up with cyber-security improvements. "This was an extremely unsophisticated attack," he added. 
 
The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan. It will also ensure that critical cyber-security updates - such as applying software patches - are carried out by IT staff, the NAO said.
 
WannaCry was "a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice," said Sir Amyas Morse, comptroller and auditor-general of the NAO. "There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
 
Keith McNeil, NHS chief clinical information officer for health and care, said: "As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen. "Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum."
 
For many executives, a serious cyber-attack is now very high on their list of risks to their organisations and a priority for disaster planning.
 
So what is most shocking in this report is the lack of planning at a local level in the NHS for such an event. 
To be fair, the Department of Health had developed a plan - it was just that it had not been properly communicated or tested in the NHS trusts. When disaster struck, nobody seemed to know who was in charge or what to do. Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS.
 
Once again, there had been warnings sent out by NHS Digital, but many trusts failed to act upon them - though in that they were no different from many organisations around the world that were also hit. In one way, the NHS was lucky - if, instead of a Friday in May, the attack had taken place on a Monday in winter, with a week's appointments affected, the damage would have been far worse.
 
Cybersecurity experts will tell you that dealing with attacks like these is mostly a management rather than a technology problem. And in this case the NHS proved itself incapable of managing a speedy and effective response to its first major cyber-security crisis.
 
Analysis - by Rory Cellan-Jones, BBC technology correspondent
 
BBC
 
You Might Also Read:
 
British NHS Sure To Be Hit By More Cyber Attacks:
 
A New Form Of Ransomware Attacks UK Hospital:
 
 
« A New IoT Botnet Storm Is Coming
‘Bad Rabbit’ Cyber Attack Hits Russia & Ukraine »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Shavlik Protect

Shavlik Protect

Shavlik Protect is an easy-to-use security software solution that discovers missing patches and deploys them to the entire organization.

Muninn

Muninn

At Muninn (aka Wehowsky), we specialize in mitigating potential risks within your network, providing one of the leading network detection and response (NDR) solutions on the market.

Bufferzone Security

Bufferzone Security

Bufferzone is a patented containment solution that defends endpoints against advanced malware and zero-day attacks while maximizing user and IT productivity.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

GMV

GMV

GMV is a technological business group offering solutions, services and products in diverse sectors including Intelligent Transportation Systems, Cybersecurity, Telecoms and IT.

Cyber Security & Cloud Expo

Cyber Security & Cloud Expo

The Cyber Security & Cloud Expo is an international event series in London, Amsterdam and Silicon Valley.

Innosphere Ventures

Innosphere Ventures

Innosphere Ventures is Colorado’s leading science and technology incubator, accelerating the success of high-impact startup and scaleup companies.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

ColorTokens

ColorTokens

ColorTokens Xtended ZeroTrust Platform protects from the inside out with unified visibility, micro-segmentation, zero-trust network access, cloud workload and endpoint protection.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP (MIT ESP)

MillenniumIT ESP provides solutions and services around Core Infrastructure, Cloud, Cyber Security, Enterprise Applications, Intelligent Automation and Data, Smart Buildings, and Managed Services.

KBE Information Security

KBE Information Security

KBE is a global consulting firm, with offices in Toronto and Milan, which specializes in the area of IT and information security with over 20 years of experience.

ELK Analytics

ELK Analytics

ELK Analytics is a specialized Managed Security Services Provider (MSSP) that focuses on endpoint security and monitoring & alerting for any type of structured or unstructured data.

HanaByte

HanaByte

HanaByte is a security consultancy focused on delivering state of the art solutions in the cloud. We specialize in delivering cloud services with an emphasis on security.