Special Report: Cybersecurity
WannaCry put healthcare cyber security in the headlines and on local and national priority lists. But, two years later, have lasting changes truly been made? Or has the momentum been lost? Jennifer Trueland reports.
In the aftermath of WannaCry in May 2017, cyber security gained a higher profile than ever before in the NHS. The topic gained traction at board level in NHS organisations, and governments across the UK announced immediate action to support the NHS to protect itself in the event of a similar attack.
As we approach the second anniversary of WannaCry, however, questions remain over whether lessons of the attack have truly been heeded. In particular, is there a risk that after the initial flurry of initiatives, momentum around cyber security has been lost?
Gary Colman, head of IT audit and assurance services at West Midlands Ambulance NHS Trust – which also provides cyber security services to other public and private sector organisations – reports a mixed picture.
“From one point of view WannaCry was a good thing because it meant that cyber security was boosted up the agenda,” he says.
“One good thing is that we have IT security managers now – they didn’t really exist in many places before, but now it’s odd to go into an [NHS] organisation that doesn’t have one.”
Dull can be good
Part of Colman’s job involves going into organisations and checking for vulnerabilities – so-called ethical hacking or penetration testing. Before WannaCry, and the steps taken in its wake, this would generally throw up substantial numbers of serious vulnerabilities. This has now changed.
“Our life as penetration testers is getting duller,” he laughs. “You can really see that there has been investment. NHS organisations have been getting new kit and firewalls and there’s been a lot happening at a national level – NHS Digital has really been pushing this.
“But not only is there a lot of shiny cool kit going in from a geeky point of view, you can also see that organisations are getting better at getting the basics right.”
That said, he has noticed that good practice put in place post-WannaCry has come under threat in some organisations. For example, there can be reluctance to lose access to services as regular patching for security risks takes place.
“What we are being told is that some people are saying that you can’t take the system down because we need it,” he says. “It’s about competing priorities. For clinicians, their priority is the patients and they feel they need the clinical systems to remain up.”
More patience for patching?
William Edwards, e-health director at NHS Greater Glasgow and Clyde, does believe NHS staff are generally more knowledgeable about cyber security than they were before WannaCry.
“People are aware of the need for cyber security and managing risks in their own lives as well as at work. That means that if we need to have planned downtime for patching, for example, they are more tolerant of having to wait as their system updates than they might have been in the past.”
Although NHS Scotland was not immune from the WannaCry outbreak, Edwards believes the national approach set in motion in July 2015 stood it in good stead. The Scottish Government eHealth NHS Scotland Information Security Framework mandated all NHS boards follow policies based on industry good practice standards.
“This was backed at the highest levels of government and meant that health boards held a mirror up to themselves to see where they were and what they needed to do,” says Edwards.
“The e-health leads for all health boards meet monthly and this framework has helped us to have an ongoing conversation about where we are and what we need to do.” Cyber security is also a key part of Scotland’s relatively recent digital health and care strategy, he adds.
No longer a resented purchase
Jonathan Lee, UK healthcare sector manager with Sophos – a global IT security company with its headquarters in the UK – believes WannaCry was a wake-up call for the NHS. “It meant that people started putting in place the things they’d been meaning to do for the previous two years,” he says. “There are a variety of reasons why they didn’t do it before – including cost, and finding a security plan that didn’t stifle productivity.
“What WannaCry did was to raise cyber security to board level. It meant people could put in place the things they had known they should be doing; that it moved from being a ‘grudge purchase’ to something they had to do.”
The move to allow the NHS to upgrade its devices to Windows 10 is positive, he says, but also holds risk. “It’s a double-edged sword because it has also taken the focus off the day-to-day things that people were doing to improve their security.”
He stresses that “people should redouble their focus”. “WannaCry was just one threat, and the NHS is under threat every day. It needs to remain high on the agenda.”
Knowledge is key
For Mark Bishop, technical director at CTO Technologies, knowledge is key. “It’s important that customers understand what their vulnerabilities are and make sure they are protected from the latest malware risks,” he says.
“But although I think the intent is there, a lot of organisations are still struggling. They might be taking a more robust approach to patching, for example, but are still finding it hard to keep up-to-date.
“What we do know is that cyber security risks are increasing all the time – and an attack only needs to work once.”
Out-of-date infrastructure remains a critical cyber security challenge – and with resources thin on the ground, NHS organisations can be stuck with equipment that is decades old.
“Often there simply isn’t the budget to replace the PC estate, for example,” says Bishop. “And from the medical side, there are clinical systems that only work with certain versions of software.”
No quick fix
While he praises some of NHS Digital’s action around cyber security, including updating organisations on risks and solutions, he warns that achieving required standards isn’t necessarily easy. “IT teams are stretched,” he says. “And often there simply isn’t a quick fix.”
While a robust patching process is essential, so is having the assurance that it has been deployed and that it has worked. Part of the disruption of the WannaCry attack was actually caused by organisations that weren’t affected shutting down their systems because they did not know whether or not they were at risk. “They were actually patched, but they didn’t know they were,” says Bishop. “Knowledge is power.”
Although nobody knows where the next successful cyber attack will come from, or what form it will take, Bishop warns that one potential flashpoint could be the ending of Microsoft support for Windows 7.
A window to an attack?
Although all NHS organisations are supposed to have migrated to Windows 10 by the cut off date in January of next year, some will find that challenging, Bishop warns.
“Nasty people hold on to vulnerabilities [in systems] then act when they know that Microsoft is no longer providing patches,” he says. “It’s a huge process migrating to a new system; some of them won’t have done that, which means there is the potential for problems.”
Protecting yourself against cyber attacks isn’t always about the money, says Jason Cresswell, IT security manager at The Health Informatics Service (THIS). “Around 90 per cent of security is free – it’s about using up-to-date software. Protecting yourself against WannaCry should have cost people nothing, because the Microsoft patch was free and it was already out there – there was no reason not to roll it out.”
He advocates a common sense approach. “At its most basic it’s like your home security,” he says. “If you shut the windows and lock the doors, that doesn’t cost you anything and it goes quite a long way to keeping you secure.”
It also comes down to training and what he calls “social engineering”. That includes making sure staff know not to click on dubious emails.
The Health Informatics Service is based at Calderdale and Huddersfield NHS Foundation Trust, but also provides services and solutions to health, social care, social enterprise and third sector organisations across the UK. According to Cresswell, the NHS isn’t any worse than any other sector when it comes to preparedness. But he warns that memories can be short.
“WannaCry certainly wasn’t the first attack to have an impact on the NHS – Conficker caused disruption eight years ago,” he says. “We don’t know what the next thing will be, but we do know there are new threats coming out every day.”