In May 2017, the NHS experienced a “critical incident” not dissimilar to the crisis currently unfolding in hospitals across the country. As doctors and nurses struggled to meet the demand on their services, they were forced to postpone tens of thousands of all but the most urgent operations, risking patients’ lives and costing an already austerity-stricken health service nearly £100m.
But while this particular incident shared some similarities to the coronavirus crisis, it was triggered by a different kind of viral outbreak. Hackers linked to the North Korean government had released a ransomware virus that quickly spread across the web. Dubbed WannaCry, the virus encrypted computer networks around the world, bringing organisations that had failed to update their Microsoft software, including dozens of NHS trusts, to a screeching halt.
Now, as Covid-19 threatens to plunge the NHS into unprecedented crisis, Interpol is warning that hospitals and other healthcare organisations are facing another surge in ransomware attacks, quashing hopes that cybercrime groups would spare organisations operating at the frontline of the outbreak. (In an email exchange with the website Bleeping Computer, two high profile ransomware operators had promised to attempt to avoid healthcare organisations, while acknowledging that ransomware is notoriously difficult to contain.) So what steps has the NHS taken to protect itself since WannaCry and could such an incident happen again?
There are two reasons WannaCry spread so quickly through the health service in 2017.
Firstly, malicious code known as exploits, which were developed by the US National Security Agency to target vulnerabilities in Windows software, had been accidentally leaked, providing less sophisticated hackers, such as those working on behalf of North Korea, with the ability to develop extremely powerful malware.
Secondly, the NHS had been underfunding its IT provision for decades. By the time North Korea released the virus, hospitals still hadn’t updated their Windows software, meaning the databases upon which hospitals depended were exposed and quickly encrypted.
Many security experts believe the health service is better prepared to weather a similar strike today. The EternalBlue and EternalRomance exploits developed by the NSA were unusually powerful; as far as we know, another set of exploits either as dangerous or as widely accessible as the NSA’s are yet to emerge. Just as significantly for the UK, in the wake of WannaCry, the NHS has spent £159m on upgrading its operating systems to Windows 10, meaning only a small number of computers are now running versions of the software that are no longer supported with security updates when new vulnerabilities appear.
NHS trusts have also been working closely with the National Cyber Security Centre (NCSC) to improve their defences, and they appear to have made significant progress. According to data released under freedom of information laws in January, the NHS has suffered 209 successful ransomware attacks since 2014, but only six took place after WannaCry – although one in five hospitals surveyed as part of the research refused or failed to answer the question.
While an incident as widespread as the WannaCry crisis is unlikely to reoccur within the NHS in the near future, individual trusts may still be vulnerable to more targeted attacks. “Evidently, the NHS is stretched to breaking point,” Joyce Hakmeh, a research fellow at Chatham House, told the Press Association last week. “Expecting it to be on top of its cyber security during these exceptionally challenging times is unrealistic.”
In order to reduce the administrative burden, NHSX, the health service’s tech unit, has given hospital trusts an extra six months to carry out their next set of security resilience checks. “I would have been utterly shocked to hear this just a few months ago,” Jake Moore, a former cybercrime police officer who now works for the security firm ESET, told the New Statesman. But while Chatham House’s Hakmeh criticised the move, Moore said it was justified given the circumstances. NHSX said that even though they wouldn’t be assessed on the matter in the short-term, “all organisations must continue to maintain their patching regimes”.
Although the NHS’s cyber defences have been reinforced in light of the WannaCry attack, there may be another reason that the number of successful attacks on its systems has declined so rapidly. NHS Digital claimed in 2017 that the health service has never paid a ransom and a National Audit Office report into the WannaCry incident found no evidence that any of the affected trusts had paid up. Ultimately, hackers follow the money and if it dries up in one area, they move on to a different set of targets.
The NHS will hope a new package of work with the NCSC to protect hospitals, twinned with its reputation for not normally paying ransoms, will make it a less appealing target for hackers. But there is another factor that could also play to its favour; the prospect of retaliation. Some security experts believe that nation states could turn their cyber military might against gangs that take on healthcare organisations.
Whether this will all be enough to protect the NHS during the peak of the crisis remains to be seen, but the health service’s leaders will hope that, to cybercriminals considering whether or not to target the health service, the risks will seem greater than the reward.