Unprecedented NHS cyber-attack disruption linked to ageing infrastructure
- 13 May 2017
NHS staff across the country are working this weekend to recover from the unprecedented disruption caused by yesterday’s cyber-attacks.
As NHS staff work to get IT systems patched, secure and running again, attention is quickly turning to the vulnerabilities caused by the reliance of many parts of the NHS on ageing infrastructure and software.
Questions are also being asked whether some of the disruption to services was avoidable, and had been caused by trusts switching systems off as a precautionary measure, rather than being infected by the Wannacrypt ransomware.
One leading NHS IT director told Digital Health News said that there appeared to have been a knee-jerk reaction to switch off systems. “All of the reports on the BBC [about disruption] are directly related to people having shut down networks, nothing to do with the ransomware itself.”
“I know people have been hit (I’m not saying attacked, because I can’t see either anything new, or anything NHS specific at the moment), but I fail to see how disconnecting clinical systems from networks helps anyone. If your clinical system can be attacked by ransomware, there is something seriously wrong with its deployment.”
It’s now known that 40 trusts plus GP practices in England and Scotland were affected by the Wannacrypt attacks yesterday.
NHS services across the country have been badly disrupted, appointments and operations cancelled and ambulances turned away, but there have not been any reports of patient data being lost, something confirmed by prime minister Theresa May overnight.
And despite initial reports to the contrary, it now seems clear that the NHS was not specifically singled out for an attack but instead one of a wide range of organisations internationally that fell victim to the Wannacrypt variant that spread like wildfire globally yesterday.
The National Cyber Security Centre quickly stepped in to co-ordinate nationally and advised: “The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS. As the Prime Minister said, we have no evidence that UK National Health Service patient data has been stolen.”
“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.” The NCSC has offered advice on how to protect from Wannacrypt.
The suspicion is that many NHS trusts proved particularly vulnerable to Wannacrypt, which exploited a known flaw in Microsoft’s SMB file-sharing services, because some may have not kept up to date with Microsoft security patches, which may well raise alarm bells about the age of systems in use at many NHS trusts.
Support for Windows XP was withdrawn in April 2014 but according to Digital Health Intelligence data on NHS infrastructure as many as 20% of NHS organisations could still be relying upon it as their primary operating system, and around 90% are thought to run something on it somewhere in the organisation.
Speaking on Newsnight, Helen Stokes-Lampard, chair of the RCGP, called on the government to urgently step up investment in NHS IT infrastructure. “We and all of the other Royal Colleges have been calling for serious infrastructure investment for a long time.”
Darren McKenna, chief information officer at Northumberland, Tyne and Wear, which was not affected, told Digital Health News that the ransomware seemed a particularly nasty variant:
“It appears to be the worst combination of ransomware and a worm-like virus, so once a machine has it, it can infect another on the network using unpatched MS exploits. From the rate of spread and travel it looks like it went across some networks like wildfire.”
In the immediate aftermath of the attacks some NHS IT leaders were, however, critical of CareCert’s initial response and communications in the first few hours. One told Digital Health news, “The absence of central management and communications has been really worrying”.
NHS Digital told Digital Health News, however, that it had issued two bulletins in April to trusts including a patch and other advice, and when the attack hit “we also stood up a 24/7 service within one hour of first reports”. A spokesperson added, “There is clear information for NHS organisations on how to contact our services”.
Some NHS IT leaders expressed hope that the attacks would prove a wake-up call to the need to step-up investment in NHS IT, networks and security to protect the NHS against more serious future attacks. One commented: “Taking the long view, this is probably a good day for NHS IT.”
Another seasoned observer noted: “Overreaction? Yes. Ultimately helpful? Yes. The more the NHS delivery of service in perceived to be threatened by a lack of investment in digital the more likely we are to see budgets increased.”
Antony Walker, deputy CEO at tech industry trade body techUK, said: “This is clearly an evolving situation, but it is an important reminder for all organisations of the need to ensure that IT systems are up to date and staff have the tools and awareness they need to stay cyber secure. Organisations running out-dated systems are more vulnerable to these types of attack.”
Updated on Sunday, 14 May, 21.11, in response to an update from NHS Digital.
6 Comments
After the effects of this cyber attack, this doesn’t seem such a good idea, hope they have a rethink,
see below
https://www.digitalhealth.net/2017/04/juliet-bauer-confirms-nhs-uk-become-gateway-gp-records-september/
If this is correct Oh my good god!!! I am a senior Network engineer that’s almost criminal. I did a lot of work on the MOD Networks (Ex-Squaddie) However I did get a piece of work thrown my way for a short term contract I was shocked at how little they were willing to pay for such services. The old saying pay peanuts get monkeys springs to mind.
No amount of money or new IT kit will solve these problems. Fundamentally Security
and Configuration Managment in the NHS is pretty poor and expertise at this level is beyond the 100s of local originations even though many organisations have the fancy expensive kit and like the idea of playing with boxes and wires.
For one I don’t know why some hospitals continue to invest in home brew email systems when there is a national solution ready and paid for. In this recent attack most the organisations hit seem to use local email systems.
There is also the delusion that N3 is somehow secure when it is a hostile network.
I know NHS organisations:
– Open up firewalls based on IPs alone without considering services / ports
– Do not properly segment their networks
– Allow workstations to openly and freely connect to each other once in a trusted zone.
– Do not have a proper patch / update management regime
– Do not firewall legacy systems
– Have wiring cabinets that look like rats nests.
– Don’t have basic ACLs and work in least privileges.
These are just some security 101’s that are pretty widespread in the NHS and I am far from an expert on the matter.
So we can pay millions to Microsoft to replace their obsolete and insecure software in the NHS with their latest version or we could make the move now to https://www.nhsbuntu.org//
The idea open source will somehow solve this problem is like saying everyone should use Apple because “Macs don’t get viruses”.
You cannot dodge the fact that security is multi-faceted and a layered approach and in the hospitals impacted all the layers were broken not just Windows.
Why were they using local email systems? Why did they have such an open network that allowed proliferations? Why weren’t servers and workstations that could be patched updated and others isolated?
If you can’t get these and other basic things right open source can’t help you.
Sorry i have a little bit of organisational memory , so wind the clock back to 2004
https://www.theregister.co.uk/2004/11/08/nhs_ms_deal_analysis/
then someone do an FOI in the decision to chop ms EWA in 2010..
IMO central bean counters shaving a few zero’s off the spread sheet and thinking it would be good decision to devolve locally , or orgs now all have to have compliance team . I am not sure if there is a central asset register on the current distributed costs to spin the redmond plates.
the surprise MS tech announce that they would after all patch the unsupported Win XP on 12th of May , should be the point of a VERY robust conversation from now on about fixin all the other known issues , in the confines of national security conversations.
we should use this grid to frame our thinking
https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet
” means of production ” from now on?
Comments are closed.