Show Hide image

Is the NHS prepared for the next WannaCry?

When ransomware paralysed parts of the NHS in May, the government pledged new targets and funding for its IT systems. But are hospitals safe from the next strike? 

It was a Friday in May, and “Sam” – a senior administrator at a major English hospital trust – was preparing to leave for work. When she picked up her phone, she noticed that her inbox had ballooned: “I had all these concerned messages from people I didn’t know.”

The cause of the panic became clear when Sam arrived at the trust. “They had switched off the computer networks; you couldn’t access any of the systems.” She was called into a meeting with the hospital’s senior management who declared a “business continuity incident”. Like 39 other NHS trusts around the country, Sam’s had been paralysed by WannaCry ransomware.

In the months following the attack, British and American intelligence officials traced the computer virus to hackers in North Korea. Their bug had spread indiscriminately through thousands of organisations’ networks and was designed, most cyber security experts now believe, not to generate money, but simply to cause chaos.

“Business continuity status means everything has to go back to paper,” says Sam, whose name has been changed to protect her identity. “We were already full so we had no beds and had to keep sketching the ward layouts. You suddenly realise how reliant you are on technology.”

It was feared the NHS Mail system had been compromised and that confidential patient data would be leaked. Staff at Sam’s trust were forced to abandon the platform. With no other system to share patient data electronically, her team took the decision to cancel all non-emergency and non-maternity appointments and operations for a week.

“I suppose you could say we could’ve gone ahead without access to the electronic systems, but it only takes it to go wrong for one person,” Sam reflects. “I wasn’t confident that patients weren’t being put at risk. You don’t want anyone going in for any sort of invasive treatment if the surgeon and anaesthetist haven’t got the full story.”

Between five and seven thousand patients in Sam’s department alone are thought to have been affected during the course of that week. Around the country, tens of thousands more faced cancellations. “Because we had no way to communicate electronically and securely, you’re risking cancer diagnosis,” Sam explains. “You’re risking delaying people’s treatment, which can be fatal.”

The tragic reality – as it later emerged – was that it was an unnecessary precaution. Chris Flynn, the security lead for NHS Digital, told delegates at the UK Health Show last month that his organisation had failed to explain the limitations of the virus. “We didn’t tell people specifically that NHS Mail was safe,” he said. “We didn’t say it wasn’t, but we didn’t say it was. And we know that people pulled connections.”

The communication failure was one of several reasons the virus hit the health service so hard. While NHS Digital had issued a patch to fix the vulnerability in affected Windows software, a number of hospital trusts’ IT teams had failed to implement it, leaving them exposed when WannaCry started spreading. It was only when then 22-year-old Marcus Hutchins, also known as Malware Tech, accidentally identified a kill-switch that the virus was contained.

In the wake of WannaCry, the government has pledged to spend £50m on improving cyber security and patient data in the NHS, which includes the creation of a £21m fund for the UK’s 27 major trauma centres. NHS Digital has also recently started searching for a supplier of a new cyber security centre to improve the service it offers hospital trusts.

When the government announced the new funding in July, the health minister Lord O’Shaughnessy said: “The NHS has a long history of safeguarding confidential data, but with the growing threat of cyber attacks including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS. Only by leading cultural change and backing organisations to drive up security standards across the health and social care system can we build the resilience the NHS needs in the face of a global threat.”

But while the additional funding was broadly welcomed, some experts have cast doubt on whether it will be enough to transform the cyber security of a distributed behemoth that has underfunded its IT provision for decades.

David Evans, the Chartered Institute for IT’s policy director, questioned the logic in providing extra cyber security funding for major trauma centres, but not for the rest of the NHS’s 240 trusts. “The additional funding will be welcomed by NHS CIOs at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security.”

Aside from the funding, the government has also set strict new targets for trusts. The headline requirement is that they must issue software patches for bugs within 48 hours of NHS Digital making them available. When the Network and Information Systems (NIS) Directive comes into force in May, critical service providers such as hospitals will also be liable to fines of up to 4 per cent of their annual turnover if they fall victim to attacks and fail to prove they have followed guidelines for good cyber hygiene.

Professor Alan Woodward, a cyber security researcher at the University of Surrey, describes the two-day deadline as a classic example of overzealous centralised management. “If you don’t have the resources, it’s like saying everyone needs to be seen in A&E within four hours. If you haven’t got the clinicians, it doesn’t help you. It just gives you a stick to beat people with, and all they do is they find a way of changing the targets.”

Additional support for NHS Digital or the National Cyber Security Centre will not instantly solve the problem, argues Woodward. “If you look at what actually happened in WannaCry, the problem wasn’t actually in the centre,” he says. “NHS Digital had an update ready for this that would’ve stopped it. The problem was the lack of resources out in the individual trusts, so individual trusts either didn’t have the people or the people with the skills to actually roll this out in time.”

NHS Digital’s Dan Taylor says the organisation provides an advisory service to trusts. “We support providers by giving free data security assessments to identify their strengths and weaknesses, to help them understand the nature of the potential threats they face and the steps they need to take to enhance their preparedness. We also provide some consultancy services following these visits to help address any areas of concern.”

It might be easy to update a computer at home, but it’s significantly more difficult in a corporate environment, especially one as complicated as a hospital. “You have to make sure that you don’t mess up all the other applications you have,” explains Woodward. “Although it’s called a National Health Service, there isn’t a National Health Service IT. Every trust is different. They’ve got their own mix of applications and so every trust has to look and make sure they don’t mess up their IT.”

One of the solutions, Woodward says, is to be found in Scotland, where a number of trusts have already invested in technology that simplifies the rollout of software updates. “Rather than have a man in a van with a USB stick upgrading everything, they can do it laterally, they can send all of the updates out.”

Evan and Woodward’s concerns about funding are shared by the health service’s IT leaders. In June, just weeks after the WannaCry virus struck, cloud computing provider VMware surveyed more than a hundred NHS IT decision-makers. Seventy per cent said the NHS was not allocating enough funding to cyber security. Over a quarter had been forced to cancel or postpone appointments due to cyber incidents, and nearly a third said they were certain that electronic patient data had been infiltrated by hackers.

Despite the government’s plans for improving hospitals’ cyber security, Sam isn’t convinced that WannaCry will be the last strike to cause significant disruption in the health service: “I would like to say it will be, but I don’t think we can reliably say that. Until we’re in the situation where a critical service is properly resourced in every way it needs to be, in terms of people, infrastructure and estates, we’re always going to be running at a risk. Technology moves so quickly and the NHS does not. It’s too big and it’s not in the fiscal situation to keep up.”

Show Hide image

The UK is prepared for the international cyber threat

The Secretary of State explains how the UK is shoring up its defences, and working with other nations to meet the challenges of the digital age.

In the past three years as Defence Secretary, I’ve been confronted by a swathe of complex challenges. Yet whether the danger comes from state aggressors, rogue states or non-state actors, it’s striking how often cyber is now their weapon of choice. And there’s a very good reason we now regard cyber as a Tier One threat – up there with natural disasters and terror. Virtual attacks have real consequences. We’ve seen Daesh using online tools to recruit followers and spread murderous propaganda. We’ve seen Russia using an army of social media bots to steadily drip-feed fake news and disinformation to the West, poisoning public trust. And North Korea’s fingerprints appear to be on numerous high-profile cyber strikes.

This year alone Parliament has been hacked and the WannaCry virus has shut down NHS operating theatres, as well as affecting more than 200,000 people worldwide. The consequences for the military are equally significant; it has been claimed Russia used malware to track and target Ukrainian artillery which illustrates how cyber can directly impair military capability. While big set-piece attacks are devastating, lower-level activity is costing business billions, undermining democracy and putting us all at risk.

In recent years we’ve seen our cyber adversaries multiply, attracted by the anonymous and ambiguous nature of the medium. It’s no longer the usual suspects; now any loner with a laptop and a grudge can cause chaos. That’s why the UK is taking action. We’re investing £1.9bn to strengthen our cyber security capability. This month we marked the first anniversary of the National Cyber Security Centre – bringing together some of the best cyber security brains from across government and the country. In the past year it has responded to nearly 600 significant incidents requiring a national, coordinated response. Defence is at the forefront of our response which incorporates three key elements.

Firstly, it’s about creating better resilience. We’re making sure our latest fifth-generation kit, from F35 to future frigates, Ajax Armoured Vehicles to drones, is packed with information sensors that can gather millions of bytes of data per second, to detect cyber intrusions and respond appropriately. We’ve also set up the Defence Cyber Partnership Programme ensuring companies with whom we’ve placed defence contracts are properly protected and meeting a host of security standards.

Secondly, we’re recruiting the best and brightest cyber talent. We’ve got cyber reservists from industry and academia putting their high-tech skills at the service of the nation by weeding out network vulnerabilities. We’re also building up a new 21st century Cyber Corps. This team of expert volunteers and captains of industry will advise us how to generate the disruptive capability needed, in everything from big data to autonomy, to keep us ahead in the cyber space race. Cyber is now a core part of our military training. In a few months’ time we will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all of our military joint cyber training into one place.

But, as RAF Second World War hero Air Vice-Marshal ‘Johnnie’ Johnson once remarked: “The only proper defence is offence.” Knowing we have the ability to expose cyber attacks and respond, whether in the air, on land, at sea, or in the cyber sphere, will deter our adversaries. Equally, offensive cyber capability gives us the means to maintain our battlefield advantage, delivering more targeted effects, limiting civilian casualties and protecting our own people.

And thirdly, we’re making offensive cyber an essential part of our arsenal, to use it where appropriate and governed by our commitment to international law. Our National Offensive Cyber Programme allows us to integrate cyber into all our military operations, and is being used with great effectiveness to degrade Daesh, not only in Iraq but in Syria too. And we’re not just investing in kit capable of soaking up a wealth of data, but running a multimillion-pound competition to develop machine learning algorithms and artificial intelligence too – freeing up our personnel to provide a more co-ordinated and tailored response.

When it comes to cyber deterrence we stand stronger when we stand together, so we’re also working with our allies to develop our collective cyber response. At last year’s Warsaw summit, NATO recognised cyber as a distinctive domain of operations for the first time. Allied nations signed the cyber pledge, committing to enhance their national defences and strengthen their collective capability to resist attack. Simultaneously we need to continue to develop the ability to provide a proportionate response to cyber attacks against NATO allies. Having honed our own innovative national cyber techniques, we’ve become one of the first NATO members to publicly offer offensive cyber support to Alliance operations as and when required.

In 1933 Churchill declared: “Air power may either end war or end civilisation”, knowing air power could be used for good or ill. He made the right choice and in the dark decade that followed, our planes helped liberate our nation and transform our lives for the better. Now, in this new cyber age, we too are determined to make the right choices – boosting our cyber power to make our nation safer and the world more secure.