The recent WannaCry attack brought the fact that ransomware is no longer just the scourge of the consumer sharply into focus for organisations across all market sectors. Nowhere was that focus sharper than within the health sector generally, and the NHS in particular.
The recent WannaCry attack brought the fact that ransomware is no longer just the scourge of the consumer sharply into focus for organisations across all market sectors. Nowhere was that focus sharper than within the NHS.
Tackling the problem proved difficult, and costly, for the NHS in England. Yet healthcare in Scotland and Wales coped far better, and for a very good reason which I’ll come to momentarily. First, let’s lay the ‘NHS targeted by ransomware’ myth firmly to rest.
When a criminal organisation, nation state or even an individual threat actor decides to cast a broad cyber attack net in search of a return then it’s inevitable that victims will come in all shapes and sizes.
Launching such an attack is stupidly easy and cheap, which means it’s within the wit of previously pretty technically witless actors who find themselves with the means to generate a criminal revenue stream without much effort required. Renting botnet ‘attack time’ costs little and the potential rewards are high. Economies of scale are at work, and it’s easy to see the attraction from the attacker’s perspective.
Launching a phishing attack is cheap as chips
It costs much the same to distribute 100,000 malware infected phishing emails as it does 1,000 (in fact, it scales up even larger but let’s use that number for the purpose of illustration). How little, do I hear you ask? I could rent a botnet for half an hour in order to send those 100,000 emails and still have change from a twenty quid note to have a couple of pints of beer and some chips on the way home.
What’s more, Bitcoin rate fluctuations apart, with the average ransomware asking for £500 I would only need a 0.1% hit rate to lock down 100 people’s data and, with an average of 44% of UK folk paying the ransom, that’s £22,000 in my pocket. Sure, it is far from a risk-free business model but then criminals are hardly risk-averse types.
Organisations more likely to pay than individuals
Here’s the thing, most research suggests that organisations which do get infected are far more likely to pay up than individuals. The ransom paid rate rises from 44% to 65% simply because it is often calculated to be cheaper to risk a few hundred quid on the basis that the decrypt code will work than many tens of thousands in downtime and recovery procedures. That’s a very misguided calculation, of course, as systems need checking and removing the source of infection is rarely straightforward in large enterprises.
There’s always a cost to all of this, and the health sector should understand better than most that prevention is better than cure. Understanding how systems became compromised is essential, not least as the scattergun approach to ransomware distribution isn’t the only fish in the pond.
More so than ever post-WannaCry, cyber criminals are understanding the profit potential of health sector targets. Ransomware variants such as SamSam are specifically crafted to target businesses, and the ransoms demanded are much higher and are variable depending upon the market sector of the victim.
NHS can’t be ransomware free but can reduce risk of exposure
So how can the NHS ensure health is a ransomware free zone? Well, it can’t, is the none too popular but technically accurate answer. What it can do, however, is dramatically reduce the risk of exposure to the threat. But that’s going to take both money and a will to push data security higher up the agenda. Whilst WannaCry may well have an influence on the latter, the former will remain the sticking point.
It’s easy, but misguided, to lay the blame for WannaCry and the like firmly on IT managers. Notwithstanding everything that I have said about ensuring as secure a security posture as possible, including the application of available OS and system software patches, sometimes doing the right thing isn’t the same as doing the best thing within your scope. That’s the reality of the position many IT managers in the NHS found themselves facing pre-WannaCry and one that has only been exasperated since. Here’s the truth bit: many trusts have found themselves unable to actually update the OS without impacting some clinical systems involved.
Some suppliers not invested in keeping systems up to date
This is not the IT managers fault, this is because the suppliers of those systems have either not invested in keeping clinical software up to date or are simply unable to in some cases. I have heard, for example, of a laboratory that is unable to print specimen labels following the application of the MS patch. Small fry when compared to the impact of WannaCry for sure, but tell that to the clinicians whose labelling systems are no longer working and the ongoing interruption to the work process that this brings with it.
Not that this is an impossible situation to solve of course, and many healthcare organisations have done so without any real fuss. Take those in Wales maybe, where the NHS Wales Informatics Service provides centralised IT across trusts and GP surgeries amounting to more than 70 varied software services. With all hospitals and GPs services coming from the centre, a quick and consistent response to an attack such as WannaCry is stupid easy to achieve.
Even Scotland, where centralisation of IT isn’t as complete, coped better than England did. With 14 geographic health boards, the NHS in Scotland could better address the WannaCry issue (although at least one region did not escape the ransomware reach).
Decentralised IT makes it harder to respond to cyber security attacks
What it shows, I think, is how the less centralised IT is the harder it becomes to respond to such cybersecurity attacks. England was hit hardest because it has the least IT servicing from the centre whereas Wales escaped the same levels of disruption because it has the most.
In the highly devolved English NHS, while NHS Digital has some overview of data and IT systems for the health and social care sectors and a dedicated Data Security Centre, it has no authority over local authorities and trusts to ensure even simple security measures are implemented, such as software updates and patches.
A simplistic conclusion perhaps, but with more than 400 NHS employers across England and no central organisational control over IT beyond the use of regional commissioning support units, one that cannot be ignored.
Need combined clout to hold suppliers to account
It’s harder for individual trusts to tackle those suppliers who insist that a patch cannot be applied without interfering with the clinical software than it would be for the combined clout of a central service organisation. Suppliers cannot continue to charge ongoing support fees when ongoing support appears to involve shirking security issues. It should be the supplier which has responsibility for ensuring that patches can be applied, that security is not compromised. Those that are unable, or unwilling, to do so should be kicked to the kerb in the soonest possible timeframe.