Luis Louro - Fotolia

NHS cyber attack shows need for resilient infrastructure and security education

Ramsomware attack highlights system-wide issues around lack of infrastructure investment and the need for cyber security training and awareness among NHS staff

The WannaCry ransomware attack on the NHS last Friday (12 May) has revealed a systemic problem across the health service, which relies heavily on ageing infrastructure.

The attack, which affected about 50 trusts in England, including hospitals, GP surgeries and pharmacies, as well as 13 NHS organisations in Scotland, has caused major disruption across the NHS, with hospitals having to divert ambulances to other trusts, cancelling appointments and effectively having to shut down their IT systems.

Although the attack was not specifically targeted at the NHS, it has raised questions about the resilience of the service’s IT systems.

As NHS trusts have worked to recover from the attack and the disruption caused, fingers have been pointed in several directions, including vulnerabilities with IT systems, old infrastructure and a lack of cyber security awareness.

This is not the first time the NHS has suffered cyber attacks. Earlier this year, Barts Health NHS Trust was hit by a cyber attack that exploited a zero-day vulnerability, which has since been patched by the software supplier. 

And in October last year, Northern Lincolnshire and Goole Hospitals NHS Foundation Trust was targeted by a computer virus that led to it declaring a major incident, shutting down its IT systems and cancelling almost all planned operations and outpatient appointments for four days. 

The NHS has repeatedly been warned to get to grips with cyber security. Last year, national data guardian Fiona Caldicott said there were problems with data not always being protected and organisations were not being held to account consistently.

Outlining 10 new standards for data security in the NHS, Caldicott said that although there were examples of good practice and most organisations were concerned about data security, there were “problems involving people, processes and technology”.

Attacks will happen

In an interview with Computer Weekly last year, NHS Digital’s CareCERT programme head warned that cyber attacks “will happen” and that organisations need to be prepared.  

“We should not be afraid of acknowledging that something may happen,” he said. “It’s the simple thing that if you don’t prepare for it and you have the mentality that it won’t happen, then you’re not prepared. Do we really think, in a digital world, that it won’t happen?”

Over the weekend following the latest attack, CareCERT issued guidance to NHS organisations about how to ensure their security software patches were up to date, and how to remove the vulnerability exploited by WannaCry.

It asked trusts to immediately disconnect computers from the network and then restore and build the machines from “a known good back-up before being entered back onto a clean network or any centralised deployment methods that are utilised”.

Although no one could have prevented the attack from happening in the first place, was its large-scale effect avoidable?

One of the key issues across the NHS is its reliance on ageing infrastructure and some IT systems that can only function using old operating software.

An example of this is NHS trusts’ continued reliance on Windows XP, despite the fact that support for this obsolete operating system finally ended in April 2015. The ransomware exploited a flaw in Microsoft’s SMB file sharing service due to a lack of update in Microsoft security patches. Battling with a lack of funding, some NHS trusts are running unpatched XP machines, leaving them vulnerable to attack.  

Read more about the NHS cyber attack

NHS Digital said most trusts now run “contemporary systems”, but added that 4.7% of devices in the NHS use XP. However, this figure does not show how many IT systems in the NHS are running on software that is compatible only with old operating systems.

“This may be because some expensive hardware [such as MRI scanners] cannot be updated immediately, and in such instances, organisations will take steps to mitigate any risk, such as by isolating the device from the main network,” NHS Digital said in a statement.

One former NHS IT director, who wanted to remain anonymous, told Computer Weekly that trusts simply do not have the cash to upgrade their systems. “Upgrades are costly and there simply isn’t enough money in most NHS trusts’ budgets,” he said.

A current NHS IT director said that although there has been increased support from government to upgrade IT across NHS trusts, as well as support from trust boards, investment in infrastructure is not given enough priority.

“We are working with very restrained budgets and are struggling simply to keep the lights on at times,” said the IT director. “There is a push from NHS England to implement integrated electronic records, but there is no point in putting in a great front-end when we are running decades-old back-end infrastructure.” He added that the trust did not have a specific budget for cyber security.

When the news of Friday’s cyber attack broke, many trusts were quick to simply switch off their systems, leaving clinicians unable to access blood test results, X-ray reports and patient details.

NHS Wales, which was unaffected by the attack, blocked all inbound emails from both external senders and NHS England over the weekend.

On Friday, Microsoft released an updated patch for older Windows systems, “given the potential impact to customers and their businesses”. Patches are now also available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64

Government criticised

Labour and the Liberal Democrats were both quick to criticise the lack of funding and lack of cyber security across the health service.

Jonathan Ashworth, Labour’s shadow health secretary, described the attack as a “real worry” and added: “This incident highlights the risk to data security within the modern health service and reinforces the need for cyber security to be at the heart of government planning. The digital revolution has transformed the way we live and work, but we have to be ready for the vulnerabilities it brings, too.

“The government need to be clear about what has happened, and what measures it is taking to reduce the threat to patients. The safety of the public must be the priority and the NHS should be given every resource to bring the situation under control as soon as possible.”

Using the attack to promote Labour’s NHS policies, Ashworth promised £10bn in capital investment to “upgrade IT systems, prioritise the cyber security of the networks and renew crumbling hospitals” should Labour win the general election in June.

In a speech at the Royal College of Nursing today, Labour leader Jeremy Corbyn said the Labour Party would pledge an “extra £7.4bn a year for the NHS throughout the next Parliament, including £2bn annually to modernise buildings and IT systems”.

In an open letter to health secretary Jeremy Hunt, Ashworth urged the minister to “publicly outline the immediate steps you will be taking to significantly improve cyber security in our NHS”. He called on Hunt to launch an immediate, independent inquiry into the attack.  

“The public has a right to know exactly what the government will do to ensure that such an attack is never repeated again,” he said.

Liberal Democrat shadow home secretary Lord Paddick said the attack was a result of the Conservatives’ “failure to provide the NHS with sufficient security systems to protect them from cyber attacks”.

He added: “The Conservatives try to paint themselves as the party of law and order, but crime has changed and they have failed to keep up. Instead of investing in the security of the systems that our public services rely on, they have chosen to extend surveillance systems instead.

“Rather than giving the NHS the funding it needs to keep its IT up to date, you have a home secretary who wants to weaken encryption and waste millions on unnecessary intrusion into people’s privacy.”

Cyber security education

While the NHS’s lack of cyber security infrastructure has been the main issue highlighted, a lack of awareness about cyber security on the ground is also important.

A survey by IT security supplier Sophos, published last year, found that most NHS organisations thought they were protected against cyber crime even though very few had encryption embedded in the organisation.

The study, which surveyed 250 NHS CIOs and IT managers, found that the perceived strength of security measures in the NHS fell short of the actual level of security.

According to the survey, 75% of NHS organisations believed they were “protected against cyber crime”, and 84% said encryption was becoming a necessity. However, just 10% said encryption was “well established” within their organisation.

NHS Digital’s CareCERT programme aims to educate NHS trusts and staff about how to prepare for cyber attacks and implement cyber security essentials. CareCERT was set up in 2015 as a cyber security service to manage risks to data in health and care.

Funded under the Cabinet Office’s national cyber security programme, CareCERT aims to provide incident response expertise for managing cyber security incidents and be a central source of security intelligence. It will also provide best practice and guidance for organisations, as well as supporting the analysis of emerging and future threats.

The organisation has issued a series of guidance documents and is working around the clock to help trusts deal with the current attack. It is continuing to distribute regular alerts about the attack, ensuring that NHS trusts are aware of updates.

Poor cyber security culture

As highlighted by CareCERT head Dan Taylor last year, one of the biggest challenges in cyber security is people.

Staff on the ground have little education about cyber security, and both IT directors Computer Weekly spoke to said that although there is cyber security training in place at most NHS trusts, it does not seem to have much impact and cyber security awareness in the NHS is still in its infancy.

Often, a lack of proper integrated IT means that clinical staff use “workarounds” to make systems work more easily for them.

The former NHS IT director said: “Clinical staff on the ground want to do their work as well and as efficiently as possible, and when the systems we use are not allowing them to do so, they find other solutions.”

This includes writing down the numerous passwords they have to keep track of on Post-it notes, or on their phones, and keeping computers logged on when going to the toilet or getting a coffee, because they would have to start their current session again if they logged out and came back.

One junior doctor told Computer Weekly that NHS staff often use the messaging app WhatsApp to communicate. Although never mentioning the names of patients, one clinician may remind another to get blood tests done on a patient via the messaging app rather than use the cumbersome pager and phone system deployed in most hospitals.

Although none of these examples are directly related to Friday’s attack, they illustrate that good cyber security practice is not in place across the NHS.

Caldicott’s report last year also highlighted the issue of bad practice across the NHS. “Examples of poor practice include confidential papers being stored in unlockable cabinets, faxes being sent to the wrong number, and the use of unencrypted laptops,” she said. “As the health and social care system becomes increasingly paperless and digital, many of these issues will be addressed automatically.”

Getting back to normal

Trusts have worked tirelessly over the weekend to get hospitals and GP surgeries running normally again, but several trusts are still unable to run services as normal.

Barts Health NHS Trust was forced to divert stroke and trauma care elsewhere over the weekend, but those services are now operational.

However, although the trust is now running some planned surgery and outpatient appointments, it is operating a reduced service and has had to cancel some appointments for today and tomorrow.  

NHS Fylde and Wyre Clinical Commissioning Group said many GP practice computer and telephone systems are still affected by the attack and told patients: “If you intend on trying to telephone your GP or visiting in person to make an appointment, please do not, unless it is vital that you are seen by a GP on Monday.”

In guidance issued to NHS organsiations, NHS Digital said that before turning on their computers, staff should check with “whoever is responsible for IT updates within your organisation”.

“Technical guidance is to turn on systems while in a quarantined state and look for signs of infection,” the guidance said. “If no infection is present, apply patch and reconnect to network. If infection is present, re-image, apply patch and reconnect to network.”

Read more on Healthcare and NHS IT