Why the NHS caught a hack­ing cough

Re­port says trusts ig­nored warn­ings a month be­fore the at­tack

Computer Active (UK) - - Contents -

As ran­somware at­tacks go, Wan­nacry wasn’t par­tic­u­larly so­phis­ti­cated. Although it reached 150 coun­tries, it con­tained am­a­teur flaws such as a URL in the code that se­cu­rity ex­perts used to stop it spread­ing fur­ther. This makes the NHS’S in­abil­ity to deal with it all the more alarm­ing.

Wan­nacry struck on Fri­day 12 May, crip­pling com­put­ers in hos­pi­tals run by 81 NHS Eng­land health trusts and 600 GP surg­eries. Within hours, as sys­tems crashed and thou­sands of pa­tients were turned away, it be­came clear the NHS was acutely vul­ner­a­ble to cy­ber at­tack. But why?

Five months on we have the an­swer. A re­port ( www. snipca.com/26061) from the Na­tional Au­dit Of­fice (NAO), pub­lished in late Oc­to­ber, found that NHS trusts hadn’t acted on warn­ings to up­grade their op­er­at­ing sys­tems. In 2014, the Depart­ment of Health told trusts to de­velop “ro­bust plans” to move on from Win­dows XP by 2015. But the re­port said there was no way for the Depart­ment to check whether NHS or­gan­i­sa­tions had fol­lowed its ad­vice.

In March and April 2017 NHS Dig­i­tal is­sued “crit­i­cal alerts” warn­ing trusts to up­date their sys­tems to fix the ex­act flaw that Wan­nacry ex­ploited. An as­sess­ment of 88 trusts by NHS Dig­i­tal be­fore the at­tack found that none had the re­quired cy­ber­se­cu­rity stan­dards.

The Depart­ment of Health had de­vel­oped a plan for cop­ing with a cy­ber-at­tack, but the NAO says it was never tested at a lo­cal level. So when Wan­nacry hit, hos­pi­tals and GP surg­eries didn’t know how to re­spond. It was never ob­vi­ous who was in charge.

Mak­ing mat­ters worse, hos­pi­tals couldn’t con­tact na­tional NHS bod­ies for help be­cause their email sys­tems were in­fected, though they did speak by phone. NHS staff were forced to share info via their phones, many us­ing What­sapp. Keith Mcneil, NHS chief clin­i­cal in­for­ma­tion of­fi­cer for health and care, said “hard-work­ing staff went the ex­tra mile to pro­vide pa­tient care”.

Given th­ese fail­ings, it’s no sur­prise the NHS couldn’t cope. And yet in some re­spects it got lucky. Dis­rup­tion at pri­mary-care ser­vices, such as GP and den­tal surg­eries, was re­stricted to Fri­day, be­cause they tend to close at week­ends. An at­tack in Jan­uary, in the mid­dle of the flu sea­son, would have been more dev­as­tat­ing.

But that will be scant con­so­la­tion to the pa­tients af­fected. NHS Eng­land es­ti­mates that around 19,500 ap­point­ments, in­clud­ing those in­volv­ing 139 can­cer pa­tients, were can­celled. In five ar­eas (London, Es­sex, Hert­ford­shire, Hamp­shire and Cum­bria) hos­pi­tals turned away am­bu­lances, forc­ing them to travel to other A&E de­part­ments.

The re­port ac­knowl­edges that no sen­si­tive data was stolen, no pa­tients were harmed, and no ran­som was paid, but it still de­liv­ers a damn­ing ver­dict. Sir Amyas Morse, comp­trol­ler and au­di­tor-gen­eral of the NAO, said the at­tack could have

been pre­vented by “fol­low­ing ba­sic IT se­cu­rity best prac­tice”. He warned that there are “more so­phis­ti­cated cy­berthreats out there” and urged the Depart­ment and NHS “to get their act to­gether to en­sure the NHS is bet­ter pro­tected”.

So what will the NHS do? Its pri­or­ity is to im­ple­ment all the se­cu­rity mea­sures out­lined by NHS Dig­i­tal be­fore the at­tack, such as ap­ply­ing se­cu­rity fixes. It also plans to strengthen hos­pi­tals’ fire­walls. But this is merely play­ing catch up. Long term the NHS also needs a cul­ture change to take cy­ber-se­cu­rity more se­ri­ously.

139 can­cer pa­tients had ap­point­ments can­celled, and oth­ers had to travel fur­ther to A&E

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.