Gajus - Fotolia

CW500: How the NHS WannaCry cyber attack unfolded

NHS Digital’s head of security talks about the security landscape in the NHS and why it led to extra challenges when the WannaCry cyber attack hit the NHS in May 2017

In May 2017, the NHS fell victim to a large-scale cyber attack which affected around 50 health trusts in England, including hospitals, GP surgeries and pharmacies, as well as 13 NHS organisations in Scotland.  

NHS Digital’s head of security, Dan Taylor, told the latest CW500 club how the Wannacry malware attack unfolded, why it had such an impact on the NHS and how the centre handled supporting organisations across the country as they grappled with the incident.

The WannaCry attack wasn’t specifically targeted at the NHS – in fact, more than 200,000 computers in 150 countries were infected by the malware. However, in the UK, NHS organsiations were among the most severely hit, with some hospitals being forced to divert ambulances to other trusts for several days, as well as cancelling operations and appointments.

One of the reasons the NHS was so affected is its organisational structure. Whereas the Department of Health is responsible for policy, NHS England is responsible for commissioning services and NHS Digital acts as the data and information organisation, every single NHS trust or GP surgery out there is responsible for their own security.  

The problem is there’s a national scale issue, such as WannaCry, affecting the system, but you actually have no control, said Taylor.

“At the same time, cyber security is not just a local issue. The information assets in health and care are such that it is a national problem, and when the national problem hits, there is no one responsible for that cyber attack,” said Taylor. “Each individual organisation is responsible for their remediation; each individual organsiation are data controllers in their own right.”

This was a system most seemed to have been happy with until WannaCry, when all the local organisations needed and wanted central support.

NHS under attack

On 12 May, Taylor was out for lunch with a colleague when he received the phone call that would change the approach to cyber security in the NHS.

“I was out for lunch when I got the call and it all started,” said Taylor. WannaCry, he added, was not a complex exploit, but it was clever.

“WannaCry traversed public networks. It could effectively go from pillar to post, and just exploited a very simple firewall vulnerability. Once it was in, it effectively exploited unpacked systems,” said Taylor.

The problem is that unfortunately, “patching is a problem for health”. Why? Not only is the NHS under severe financial constraint, but technology and security is not the main order of business.

Read more about cyber security in the NHS

  • Many NHS trusts are failing to scan internal apps for security-related defects or scan web perimeter apps regularly, potentially exposing patient data to cyber breaches.  
  • A cyber attack on England’s largest NHS trust, Barts Health, has underlined the importance of cyber security at healthcare organisations and has raised renewed fears about NHS legacy IT systems.  
  • NHS Lanarkshire was hit by a cyber attack, affecting several IT systems and leading to cancelled operations and appointments. 

The WannaCry attack exploited a vulnerability that had been patched by Microsoft two months before. However, most NHS trusts had not applied the patch yet. 

It’s easy to blame the trusts for not having their security up to scratch. It’s fair to say that cyber security has taken a bit of a backseat in the NHS. Part of this is cultural, as Taylor put it: “The problem with health and care is, security is not their business, the patient is.”

The NHS is great at patient care and clinical safety, he added, but see security as “something else, it’s the ICT problem”.

“The problem is, that’s not how the health service works anymore. The health service works because technology enables it. The huge lesson [with WannaCry] for provider services out in the NHS was just how much patient facing-services were built on technology.”

Cyber security at heart

Many NHS trusts have more than 50 different systems, including a series of old legacy systems. It’s not a simple thing to patch across all those systems and keep the clinical systems afloat, Taylor said.

“There are legacy issues, there are regression issues. Therefore, clinical risk trumps data security risk,” he adds – one of the reasons why health has suffered from simple exploits like WannaCry. 

Not being able to safely use many of the clinical systems that deliver patient care, such as radiology, meant that suddenly the lifeblood of many large acute hospitals or trauma was taken away.

“In many ways, that’s the best thing that came out of WannaCry – the realisation,” said Taylor.

But it wasn’t just providers that woke up. Taylor admits there were several lessons learnt for NHS Digital too.

One piece of advice, he said, is to “embrace the panic”. There will be times where you would love to just walk out the door, but embrace that feeling, he said.

“You have to trust your systems,” said Taylor. “We had good systems, but mostly, it’s about people – and we have worked to build a good team. That team put good processes and procedures in place, they were capable, calm and energised.”

Lessons learned

One lesson learned though, was “make your lines of communications good, make it snappy”. Taylor concedes that NHS Digital “messed up” when it came to sending out information to NHS providers. “We didn’t send an intelligence bulletin until one minute to five on the Friday, three hours too late,” he said.

Why? Because the centre decided it would rather send information that was checked and correct, rather than information that was only 80% right.

“In an emergency, don’t do it,” he said. Or, if you are going to do it, say ‘we're going to come back to you in 15 minutes’ or ‘ standby, 30 minutes, stand by’. Let them know you’re dealing with the problem. Don’t let that kind of nothingness happen, because then people make poor decisions.”

The lack of information led to NHS trusts deciding to cut themselves off from the national NHS network, such as NHS Mail.

Selling cyber security

In an interview with Computer Weekly last year, Taylor rightly predicted it would just be a matter of time before the NHS was subject to a cyber attack, and NHS Digital wanted the NHS to be prepared.  

As part of the prep, NHS Digital launched its cyber security service called care computing emergency response team (CareCERT) was lunched in autumn 2015 with the aim of enhancing cyber resilience across health and social care. 

However, Taylor said the centre has struggled to be clear about the “why” and using a language the providers understand. We talk about security and detail, he said, but it’s about safe care and public trust.

“You want to know you’re going to be treated safely. You want to know your data about you is held safely, and if we can do that, it engages clinicians more. It’s about the why. Why do you want to protect your technology?”

Some of the services offered by NHS digital were “nonsensical”, he said. Those services included Cyber Assure and CareCERT React, a free of charge data security assessment offered to NHS providers, and a helpline. The language didn’t help, said Taylor. The services have now been renamed data security assessment and data security helpline, making it easier for providers to know what they actually do.

“Don’t let naming conventions be a barrier,” he said. “Don’t use multi-syllable words when what you actually mean is “enablement”, “support” and “making things more secure”.

Read more on CW500 and IT leadership skills

Data Center
Data Management