NHS staff across the country are working this weekend to recover from the unprecedented disruption caused by yesterday’s cyber-attacks.
As NHS staff work to get IT systems patched, secure and running again, attention is quickly turning to the vulnerabilities caused by the reliance of many parts of the NHS on ageing infrastructure and software.
Questions are also being asked whether some of the disruption to services was avoidable, and had been caused by trusts switching systems off as a precautionary measure, rather than being infected by the Wannacrypt ransomware.
One leading NHS IT director told Digital Health News said that there appeared to have been a knee-jerk reaction to switch off systems. “All of the reports on the BBC [about disruption] are directly related to people having shut down networks, nothing to do with the ransomware itself.”
“I know people have been hit (I’m not saying attacked, because I can’t see either anything new, or anything NHS specific at the moment), but I fail to see how disconnecting clinical systems from networks helps anyone. If your clinical system can be attacked by ransomware, there is something seriously wrong with its deployment.”
It’s now known that 40 trusts plus GP practices in England and Scotland were affected by the Wannacrypt attacks yesterday.
NHS services across the country have been badly disrupted, appointments and operations cancelled and ambulances turned away, but there have not been any reports of patient data being lost, something confirmed by prime minister Theresa May overnight.
And despite initial reports to the contrary, it now seems clear that the NHS was not specifically singled out for an attack but instead one of a wide range of organisations internationally that fell victim to the Wannacrypt variant that spread like wildfire globally yesterday.
The National Cyber Security Centre quickly stepped in to co-ordinate nationally and advised: “The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS. As the Prime Minister said, we have no evidence that UK National Health Service patient data has been stolen.”
“We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.” The NCSC has offered advice on how to protect from Wannacrypt.
The suspicion is that many NHS trusts proved particularly vulnerable to Wannacrypt, which exploited a known flaw in Microsoft’s SMB file-sharing services, because some may have not kept up to date with Microsoft security patches, which may well raise alarm bells about the age of systems in use at many NHS trusts.
Support for Windows XP was withdrawn in April 2014 but according to Digital Health Intelligence data on NHS infrastructure as many as 20% of NHS organisations could still be relying upon it as their primary operating system, and around 90% are thought to run something on it somewhere in the organisation.
Speaking on Newsnight, Helen Stokes-Lampard, chair of the RCGP, called on the government to urgently step up investment in NHS IT infrastructure. “We and all of the other Royal Colleges have been calling for serious infrastructure investment for a long time.”
Darren McKenna, chief information officer at Northumberland, Tyne and Wear, which was not affected, told Digital Health News that the ransomware seemed a particularly nasty variant:
“It appears to be the worst combination of ransomware and a worm-like virus, so once a machine has it, it can infect another on the network using unpatched MS exploits. From the rate of spread and travel it looks like it went across some networks like wildfire.”
In the immediate aftermath of the attacks some NHS IT leaders were, however, critical of CareCert’s initial response and communications in the first few hours. One told Digital Health news, “The absence of central management and communications has been really worrying”.
NHS Digital told Digital Health News, however, that it had issued two bulletins in April to trusts including a patch and other advice, and when the attack hit “we also stood up a 24/7 service within one hour of first reports”. A spokesperson added, “There is clear information for NHS organisations on how to contact our services”.
Some NHS IT leaders expressed hope that the attacks would prove a wake-up call to the need to step-up investment in NHS IT, networks and security to protect the NHS against more serious future attacks. One commented: “Taking the long view, this is probably a good day for NHS IT.”
Another seasoned observer noted: “Overreaction? Yes. Ultimately helpful? Yes. The more the NHS delivery of service in perceived to be threatened by a lack of investment in digital the more likely we are to see budgets increased.”
Antony Walker, deputy CEO at tech industry trade body techUK, said: “This is clearly an evolving situation, but it is an important reminder for all organisations of the need to ensure that IT systems are up to date and staff have the tools and awareness they need to stay cyber secure. Organisations running out-dated systems are more vulnerable to these types of attack.”
Updated on Sunday, 14 May, 21.11, in response to an update from NHS Digital.