Access your Pro+ Content below.
Royal Holloway: Man proposes, fraud disposes
Sponsored by ComputerWeekly.com
In May 2017, a strain of ransomware called WannaCry infected 32 NHS trusts in England. The NHS’s report on the incident noted that all English local authorities reported being unaffected, despite also being connected to the NHS’s own national network. Ultimately, the attack proved the NHS’s centralised information governance to be weaker than the equivalent governance applying to local authorities. The critical difference in approach was that unlike local authorities, the NHS didn’t require its organisations to test their security. There is also evidence of the NHS mistrusting local authorities’ information security management, which may have biased the NHS against adopting areas of better practice, like testing, from local authorities.
Table Of Contents
- When looking for an example of a well-documented cyber attack to learn from, it is hard to look past the WannaCry attack that affected the NHS in England in May 2017.
- There are four principal causes described in the NHS lessons learned report: Failure to patch promptly; failure to keep antivirus software up to date; failure to manage the risk from obsolete equipment that was ‘unpatchable’; and weak firewall/boundary controls for the internet and the NHS national network (N3).
- The security controls mandated for NHS trusts and local authorities at the time of the WannaCry attack differed significantly.
- It is telling that NHS Digital’s post-WannaCry response was to turn to Cyber Essentials Plus (CE+), a generic information security certification available to any UK organisation, rather than directly audit organisations against its own, bespoke, Information Governance Toolkit.
- The adage “If it’s not tested, it doesn’t work” perhaps best sums up why the NHS was so vulnerable to WannaCry.