The crippling of over 40 NHS trusts by a repackaged piece of elderly ransomware has been used by security consultants to peddle a variety of remedies, such as following better password or patching discipline. The remedies do not address the problems that led to the vulnerabilities. XP can be made secure. The question is not “why was it still in use?” but “why was it not made secure”.
The big risk is that this “attack” was really just a trial run – to get publicity so as to soften up audiences for zero day attacks on more modern operating systems. The R&D budgets of the ransomware industry are reckoned to be greater than those of anti-virus vendors. Their profits certainly are – the Cryptolocker “team” collected $27 million via four bitcoin addresses inside two months in 2013. And that was at the beginning of an exponential wave of growth. “Merely” finding the kill switch for this particular variant is helpful. But it does not address the underlying threat to confidence in the entire on-line world – not just the NHS.
The good news, to which I will return below, is that GCHQ has finally become engaged with addressing cyber-crime. This should be a game changer.
Meanwhile, why was the NHS so vulnerable? The supposedly widespread use of an elderly operating system for which competing vendors provide security add-ons should have been a strength not a weakness. The answers lie in the structure of the NHS itself, not just its IT. I will, however begin with the “immediate” problem of incoherent and ineffective security – from reliable access to accurate information (when and where needed) to patient and practitioner confidentiality.
- NHS has far too many semi-incompatible processes to control access to information and/or systems. In consequence there are post-IT notes with current passwords stuck on screens all over the place to enable password sharing – thus making it impossible to know who has accessed what and when. A consultant surgeon working across half a dozen hospitals may have to keep track of 50 – 60 changing passwords for the systems they use, often having to hand their “little black-book” to the nurse in the operating theatre who has to re-boot information screens every 15 minutes – because they time out if not actively refreshed during a long operation (I kid you not!).
- The NHS has confused procurement with good practice and efficiency. I would be happy to bet a gold sovereign against a bent penny that the NHS has been agonising since before 2015 over which XP security service (including anti-ransomware and automated patching) to adopt as standard. Common procurement services can provide benefits – but work best when the users have a choice of which competing service to use. Thus the London Grid for Learning (jointly “owned” by the London Boroughs) has just done a bulk deal to add Intercept-X to the protection services it offers the schools its serves – at no extra cost to the schools for whose bulk procurement and support business it has to compete.
- At the heart of the problems with NHS IT is the disconnect between clinical professionals, IT professionals, Caldicott Guardians and management. This was being addressed by the NHSIA (until 2002) with a programme of incremental change based on the identification and dissemination of good practice, including common coding and inter-operability standards. Then came the ill-fated 20 minute seminar at Number 10 which led to Tony Blair’s top-down, Accenture-driven, National Plan for IT . This had the authority to implement and enforce decisions which were apparently taken in 1998, almost immediately after New Labour came to power with an agenda to complete the “unfinished business” with regard to the creation of a centralised, standardised National Health Service. The consequences were then compounded by the hierarchies of lawyer-driven PFI contracts to implement Gordon Brown’s movement of NHS “investment” (including in IT) away from the Government balance sheet.
The result has not only bled the NHS dry. It has also made good practice, as opposed to compliance with tick-box processes, impossible on almost anything – i.e. not just on security.
Radical change and/or throwing money at the problems will not help. A long term programme of incremental bottom up reform, as was in train under the NHSIA before before NPfIT, is the only way forward. Incremental change may be boring – but it is the only way of rescuing the NHS from becoming the laughing stock of most EU member states: the most expensive as well as the least capable of delivering joined up medical care.
But I would like to end on a more optimistic note. An attack on the NHS, whether by a nation state or terrorist group, has been one of the scenarios practiced in several cyberwarfare games over the past year of so. This turns out not to be such a targeted attack – but it has given GCHQ the opportunity to demonstrate that the billions spent on their interception and surveillance capabilities can be put to good use in a area where success will disarm all those who opposed the recent extension to their powers.
The response to this incident should signal the start of serious co-operation between GCHQ, Law Enforcement and the on-line community (Telcos, ISPs, Payment Services etc.) in tracking, tracing and removing not only the predators – but also those who aid and abet them (e.g. those ISPs and Domain Name Registrars who are providers of choice for on-line predators). The co-operation should include the use of civil law, not “just” criminal law. I look forward to the test case in which an NHS Trust, supported by the Attorney General, takes civil action against an off-shore (e.g. domiciled in the EU, US or a Crown Dependency) ISP or Domain Name Registrar who declines to assist. The precedents set will administer a profound shock to those internetties who think they are safe from the consequences of their actions.
However, we will need, in parallel, to take a fresh look at how the UK could/should combine rigorous and effective action against on-line predators with providing a safe on-line haven for legitimate dissents.