leowolfert - Fotolia

Lack of accountability and investment blamed for NHS cyber attack

An approach built on partnerships, sharing and mutual accountability is essential to ensure a cyber-safe NHS, according to BCS, the Chartered Institute for IT

A lack of accountability and investment in cyber security measures is to blame for the WannaCry ransomware attack on NHS IT systems in May 2017, a report has found.

The global attack affected about 50 health trusts in England, including hospitals, GP surgeries and pharmacies, as well as 13 NHS organisations in Scotland, causing major disruption across the NHS. Some hospitals were forced to divert ambulances to other trusts for up to six days and to cancel operations and appointments.

While doing the best with the limited resources available, some hospital IT teams lacked access to necessary resources, according to the newly published report by BCS, the Chartered Institute for IT.

Specifically, staff lacked access to trained, registered and accountable cyber security professionals with the power to assure hospital boards that computer systems were fit for purpose, said the report, Blueprint for cyber security in health and care.

The overall aim of the initiative is to prevent harm to the public where established cyber security good practice could prevent it.

The healthcare sector has struggled to keep pace with cyber security best practice and with a systemic lack of investment, said David Evans, director of community and policy at the institute.

“Ultimately, the WannaCry attack was an inevitability, but patients should be able to trust that hospital computer systems are as solid as the first-class doctors and nurses that make our NHS the envy of the world,” he said.

In an attempt to ensure that a future cyber attack will not have the same impact as WannaCry, BCS has partnered with the Patients Association, the Royal College of Nursing, BT and Microsoft to produce a blueprint that outlines steps NHS trusts should take.

Clearly laid-out standards

Top of the list is ensuring there are clearly laid-out standards for accrediting relevant IT professionals, while NHS boards are urged to ensure they understand their responsibilities and how to make use of registered cyber security experts.

Asked why this initiative is being driven by the institute, Evans said that as a charity with a Royal charter, bringing people together to solve problems that matter to real people is just the kind of thing the BCS is required to do.

“What happened in the NHS [as a result of the WannaCry attack] meant that real people were at the wrong end of this like never before, and this has moved into the public consciousness in a new way,” he told Computer Weekly.

“We are not saying that our role is to solve everything and deal with every aspect. In fact, what we have been very concerned to do is to build a coalition from every part of the system to work differently and to establish a professional community with a strong voice for the public good.”

For this reason, the institute has been reaching out to sister organisations including the IET (Institution of Engineering and Technology), other charities such as Barnardo’s and the Patients Association, and the tech sector.

“People can be very cynical about tech organisations, and they are there to make a profit, but the human beings within these organisations want things to work and they want to help protect people,” said Evans.

Bringing communities together

Paul Newman, head of information technology at the Royal College of Nursing, said: “This isn’t about telling people what to do, it’s about supporting them – bringing together communities with knowledge and expertise to enable others.”

John Kell, head of policy at the Patients Association, said cyber security is vitally important to patients, and will become ever more so.

“It almost goes without saying that people must feel confident in the security of their personal data,” he said. “But at least as important is that we are able to seize the opportunities presented by digital technology to enable patients to take control of their care.”

Jason Hall, director – NHS Digital, BT business and public sector, said BT believes it is critical for health and care services to be protected from cyber attack.

“We pledge our support for this roadmap for a cyber-safe NHS, extending our professional support, shared good practice, threat intelligence and resources,” he said. “We will contribute to developing the roadmap and collaborate to enhance NHS cyber security.”

Special responsibility

Hugh Milward, director, corporate, external and legal affairs at Microsoft UK, said that as a technology company, Microsoft has a special responsibility to address cyber security issues.

“We fully support the Blueprint for cyber security in health and care as a means to provide a benchmark in cyber security best practice,” he said.

“Across the tech sector, advances are being made which are making important contributions in the fight against cyber security threats, but more action is needed, and it is needed now.

“It is important that lessons are taken from previous incidents and applied to strengthen our collective response and capabilities, with the tech industry, customers and governments working together to protect against cyber security threats.”

By the end of 2017, the draft roadmap calls for the definition of the role of NHS organisational boards and IT/cyber professionals in the NHS, what they can expect from each other, and what the public can expect.

This process is aimed at establishing clear standards of practice for NHS organisations’ boards and standards for accreditation of relevant professionals to deliver for boards, and will include a public and professional consultation.

By the end of the year, the roadmap also calls for the start of the first tranche of courses for digital leaders, working with programmes across the UK such as the NHS Digital Academy, and a clear, costed and resourced plan to deliver the 2020 roadmap.

Read more about WannaCry

  • Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
  • WannaCry reveals some important facts about our dependence on the internet and IT.

According to the roadmap, 2018 should include the first tranche of professionals across health, care and as many other sectors as possible qualifying and registering as professionally competent, and the start of the roll-out of advice and guidance to NHS boards.

Goals for 2019 include the expansion of the number of professionals undertaking qualifications and registering and the induction of NHS boards and relevant organisations, so that they enter 2020 with a clear understanding of their responsibilities, with plans in place.

The roadmap aims to provide assurance to the public that NHS organisations are equipped to meet current and future challenges and that there are accountable professionals keeping the NHS safe from cyber attacks.

Other goals for 2020 include highlighting where there are gaps and being in a position to learn from future incidents and to anticipate threats reliably.

Engaging in dialogue

In addition to laying out the draft roadmap, the blueprint calls on policy-makers to commit to engaging in dialogue and support the policy actions that are required to deliver the roadmap, and on professional institutions to build shared solutions and to recognise that collaboration between multiple professional communities is essential.

The blueprint also calls on partner organisations to lend their support by participating in the development of the roadmap, on professionals to declare their support for each other and to play their role in taking responsibility for protecting the public, and on the public to demand that their needs are met and that their interests are protected.

Before the WannaCry attacks, Barts Health NHS Trust was hit by a cyber attack in January 2017 that exploited a zero-day vulnerability, which has since been patched by the software supplier. And in October 2016, Northern Lincolnshire and Goole Hospitals NHS Foundation Trust was targeted by a computer virus that led to it declaring a major incident, shutting down its IT systems and cancelling almost all planned operations and outpatient appointments for four days. 

The NHS has been warned repeatedly to get to grips with cyber security. In 2016, national data guardian Fiona Caldicott said there were problems with data not always being protected and organisations were not being held to account consistently.

Outlining 10 new standards for data security in the NHS, Caldicott said that although there were examples of good practice and most organisations were concerned about data security, there were “problems involving people, processes and technology”. The newly unveiled initiative by the BCS and its partners is aimed at addressing those problems within the next three years.

Read more on Hackers and cybercrime prevention