1. A Cecile Park Media Publication | March 2018 17
NHS: The lessons
learned from WannaCry
On 1 February 2018 the Department of Health and Social Care (‘DHSC’) published its independent
report entitled ‘Lessons learned review of the WannaCry Ransomware Cyber Attack’ (the ‘Report’).
The stated aims of the Report were to analyse the lessons learned, assess the actions taken to date
and to make clear recommendations on what further measures are required to ensure the entire
health and social care system is as robust as it can be in reducing the risk and impact of a future cyber
attack. Dan Hyde, Partner at Penningtons Manches, in this article examines the Report, providing
insight into the background and context of the attack before assessing the Report’s findings.
The background
On Friday 12 May 2017 we witnessed a
global ransomware attack now known
as WannaCry. The attack was random
and whilst one of the major victims was
the NHS it was not a specific target.
The cyber attack affected some 100
countries and in excess of 200,000
computers. The exact numbers and the
cost to the NHS will never be known
as, despite investigation by the DHSC
and an earlier report by the National
Audit Office, we are informed that
the cost is not calculable as much of
the relevant data was lost and is not
retrievable. That, of itself, does not
cast the NHS’s cyber security breach
response plan in a positive light.
The infection by the WannaCry
ransomware was entirely avoidable. The
ransomware attack was spread via the
internet and affected the NHS which was
exposed due to its unpatched Windows
systems. This exposure would not have
been fatal had effective firewalls been
in place to repel the threat, but because
firewalls had not been maintained even
this basic defence shield was missing.
Every single NHS organisation that was
infected by WannaCry had unpatched
or unsupported Windows operating
systems that enabled virus infection.
Significantly, in March 2017 Microsoft
had issued updates that NHS Trusts
using Windows 7 could have adopted
to protect themselves. Further, on 17
March 2017, NHS Digital had issued a
CareCERT briefing asking NHS Trusts
to apply the Microsoft update. If the
DHSC’s figures are to be relied upon,
more than 90% of the devices in the
NHS are operating on Windows 7, so
90% of those devices would have been
protected if they had been patched in
line with the NHS Digital request. Trusts
running older Windows XP operating
systems on devices had been expressly
notified that they were to migrate away
from their use, yet when the attack
came on 12 May 2017, approximately
5% of the NHS was still reliant on an
outdated Windows XP operating system.
Windows XP can however be patched
and following the attack, Microsoft
issued an update for XP that would have
prevented the ransomware infection.
In the lead up to the attack the NHS
had a culture of woeful cyber security
non-compliance; at 12 May 2017 only
88 out of 236 Trusts had been subject
to a cyber security inspection by NHS
Digital. Of the 88 inspected not a single
Trust passed. The inspections were
voluntary and CareCERTs requesting
CYBER SECURITY
Dan Hyde Partner
dan.hyde@penningtons.co.uk
Penningtons Manches LLP, London
2. DIGITAL HEALTH LEGAL18
updates and other basic cyber security
measures were treated as being
voluntary and largely ignored. The NHS
Trusts were silos and the DHSC had no
knowledge as to which had complied
with the requests. The DHSC was itself
unprepared; it was warned a year before
the attack that it was at risk, yet did not
provide any written report in response
until two months after the attack, in July.
Unsurprisingly the NHS had a woefully
inadequate breach response plan as
well, which arguably wasn’t a plan at all
but rather an unpractised and ineffective
hypothetical policy that none of the key
personnel were sufficiently familiar with.
The recovery was aided by a cyber
security researcher who activated a kill
switch; his action prevented WannaCry
locking out further systems and devices.
That was by luck or intuition rather than
design, as it was not in pursuit of any
implemented national cyber security
policy. NHS England’s IT department
did not even have emergency facilities
in place so that there was a reliance
on IT staff attending work voluntarily to
assist in firefighting. The National Cyber
Security Centre and National Crime
Agency also pitched in, assisting the NHS
and other affected organisations - it is
unclear just how much worse the lines of
communication and impact might have
been but for that external assistance.
The lessons learned
In its foreword, the DHSC claims: “The
NHS responded well to what was
an unprecedented incident, with no
reports of harm to patients or of patient
data being compromised or stolen.”
This positive and debatable assertion
is then tempered by the recognition
that the incident highlighted areas for
improvement both within local NHS
organisations and across the NHS as
a whole and that “since the attack,
urgent action has been taken to tackle
these challenges.” So - what has been
learned and what action is being taken?
The recommendations are detailed
and far more thorough than measures
previously identified. They include
significant capital investment in cyber
security and call for improvements in
incident response, resilience, leadership
and overall preparedness. A Cyber
Handbook has been produced, setting
out the approach and actions in the
event of a cyber attack; significantly,
the DHSC will take the lead, with NHS
England responsible for coordinating
the system response. Another important
development is that the CareCert Collect
Portal, an online self-service platform,
has been launched by NHS Digital to
encourage a proactive approach to
cyber resilience, and plans are afoot
to ensure care providers sign up to the
Portal and apply critical high impact
CareCERTs. This, if implemented, would
go some way to patch up vulnerabilities,
but it must be enforced and not left
to the care providers. In summary:
• Incident management is to be changed
with the new approach set out in
the Cyber Handbook. This seeks to
establish the roles and responsibilities
of the plethora of organisations that
must coordinate their approach to
an attack on the NHS. The Report
recognises the need for cyber
drills and recommends an annual
national cyber rehearsal, together
with regular local cyber incident
tests. If implemented in a way that
mimics the communication black out
and impact of a cyber incident, this
will be a huge stride forward. The
danger is if the rehearsals are not
an accurate recreation and lead to
complacency. It is arguably better
not to have a response plan at all
than one that doesn’t function under
the stress of an actual incident.
• Communication is to be more
coordinated. The incident room
should ensure communication
channels are clear and well
managed, with consistent selection
of the organisations called upon for
assistance; this would avoid assistance
providers responding with the same
information to multiple requests. The
heavy reliance on email should be
addressed so that social media and
other alternative communications
platforms are available when email
is taken down in a cyber attack.
Continued testing of these alternatives
will be crucial to ensure there is
functional communication support.
• Data collection will be improved via
an established set of standard data
requests by NHS England in the
event of attack. This should improve
the completeness of data to support
incident management and reduce
the burden of data collection when
the attack is still live. Traditional
paper-based processes will also be
implemented where the incident
management system is affected. Paper,
it seems, has a place in cyber defence.
• Resources must be available and
include cyber accredited support.
NHS Digital’s contact centre must
be sufficiently staffed and develop
its emergency on-call expertise to
continued
CYBER SECURITY
The Report certainly reads well, but words are
not enough; deeds and significant capital are
required to implement these recommendations.
image: Charlie Costello
3. A Cecile Park Media Publication | March 2018 19
NEWS ANALYSIS
Headline
Text
ensure the right people are available
to make key decisions and provide
support. It is remarkable this was not
already in place. Many of the NHS
personnel dealing with WannaCry
had no relevant experience of a cyber
attack, there was a lack of IT staff and
those that did help were often doing
so on a voluntary firefighting basis.
IT support teams are to be cyber
accredited and include cyber support
units with a developed and tested
emergency response capability.
So will these recommendations be
effective? One concern is that the
disjointed structure of the NHS gives
little cause for hope. The DHSC has
overall responsibility for cyber security,
but this is delegated down to a myriad
of Trusts, GP practices and social care
providers. History tells us that these
NHS organisations do not all march
in step and have previously failed to
heed security warnings or requests.
That said, these recommendations
are detailed and thorough; proper
implementation will be key to their
success. My own view is that there
needs to be a compulsory scheme of
regulation and a compliance regime with
sharp teeth. There should be routine
checks and sanctions for those who fail
to adhere to CareCERTs or requests. The
Report certainly reads well, but words
are not enough; deeds and significant
capital are required to implement these
recommendations. Will this happen?
Do not be in doubt, another major
cyber attack will strike the NHS - and
when it does we will have our answer.
Costello / Unsplash.com