It is easy to be wise after the event but post-WannaCry, as those healthcare institutions that had been hit emerged blinking from long hours of frantic remedial action to regain access to their systems, it soon became clear that this was an event which should have been anticipated.
It was also clear that in most cases, WannaCry had only succeeded because of basic cybersecurity housekeeping failures – principally, unpatched Windows operating systems. As Will Smart, CIO for Health and Social Care England told delegates at HIMSS UK’s Health Insights event in London last November, “Even with the infrastructure that we’ve got, WannaCry should’ve never happened.”
The National Audit Office was unequivocal after five months of investigation into the attack on the NHS. While it acknowledged the wider failure of the Department of Health to respond more quickly to a cybersecurity review carried out by the National Data Guardian and the Care Quality Commission in 2016, it suggested that ultimately, responsibility for the scale of the ransomware attack’s impact lay with individual institutions – and this was the main lesson to be learned.
“NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves,” the report concluded.
Trusts with previous experience of a serious cybersecurity breach were notably better prepared for WannaCry. County Durham and Darlington NHS Foundation Trust (CDDT), for example, had already taken measures to shore up its infrastructure following experience of a major virus incident after changing security suppliers.
When WannaCry struck, a lot of the protection elements were able to be handled by the infrastructure automatically. The IT manager had a clear view from ePO (McAfee’s central management console) and was able to determine from this where the attacks were entering the trust, the actions the infrastructure had taken to block them, and exactly what was happening within the IT environment in real-time.
This best practice approach is the kind of model which is being advocated by experts in the wake of the attack. “Look at integrating as many of the different layers of security as possible to allow automation to help ease the burden on your security team/resource,” says Paul Heath, Regional Director, UK&I public sector at McAfee.
“Think of security as a holistic layer of infrastructure, and try to move away from point product discussions. One of the good things about the CCDFT project is that security was seen by the board as an enabler for them to achieve the overall goals of the trust – so try and align those two areas.”
More than legislation?
It might seem surprising that government-led strategic approaches specifically aligned with the demands of healthcare cybersecurity did not provide better protection during the storm.
However, according to the HIMSS Analytics eHealth data security Trend Barometer for the second quarter of 2017, European eHealth professionals see a lack of financial incentives rather than government support as one of the main obstacles to improving the security of Health Information Exchange (HIE). Rather than blaming legislation, IT infrastructure, technical standards, software vendors, or even patients as roadblocks, they call for financial incentives to stimulate and push secure HIE.
Financial incentives for hospitals to increase cybersecurity are, for example, being discussed in Germany, but there won’t be any final decision before a new government is appointed. German legislation included larger hospitals in what it calls “critical infrastructures” in 2015. This means they will be obliged to fulfil certain IT security standards, and the hospitals will also be subject to occasional controls by the national agency for security in information technology (BSI), an agency that the German Ministry of the Interior is accountable for. The detailed requirements for “critical” hospitals are still under debate, but it is expected that they will be published soon. The deadline for implementation will be the summer of 2019, so heated discussions about how the required measures will be financed can be expected in 2018.
“The UK government has invested in cybersecurity initiatives for healthcare, and that’s good,” says Christian Beek, Lead Scientist and Principal Engineer at McAfee
According to Christian Beek, Lead Scientist and Principal Engineer at McAfee, WannaCry was basically another wake-up call for healthcare institutions to do the patching right. It helped CIOs to push security up the agenda at board level – yet again, some might say – but in many cases, the topic is still not the highest priority.
“The UK government has invested in cybersecurity initiatives for healthcare, and that’s good,” he says. “But it’s a question of translation. You can have all the manuals and guidance, but best practice still needs to be implemented. The CIO has to translate it by asking, what does it mean to me in MY Trust?”
As far as NHS England is concerned, the guidance is there. The lessons for the Department of Health and NHS national bodies identified in the NAO report are a mixture of the obvious and the familiar – suggesting that the prevailing trends in cybersecurity have varied little over the years:
- Develop a response plan detailing what the NHS should do in the event of a cyber attack, and establishing the roles and responsibilities of stakeholders.
- Ensure organisations implement CareCERT alerts (NHS Digital emails providing information or requiring action, such as applying software patches and updating anti-virus software.
- Ensure that organisations, boards and staff are taking the cyber threat seriously, understand the risks to frontline services and are working proactively to maximise resilience and minimise impacts on patient care.
In the aftermath of WannaCry, NHS England and NHS Improvement have also written to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017, and taken essential action to secure local firewalls.
Perhaps the most significant recent development, however, is NHS Digital’s announcement at the end of November of a £20m (€22.8m approx.) project to create a Security Operations Centre, which will provide enhanced monitoring of national services across health and care, and allow NHS Digital to offer specific advice and guidance to local NHS organisations.
The organisation is looking for a partner to support the project, bringing in the necessary expertise. This partnership, says Dan Taylor, Head of the Digital Security Centre at NHS Digital will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities.
“It will also allow us to improve our current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software, and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats,” he added.
In light of WannaCry, this might seem long overdue. But until it is properly in place, it remains just another initiative. Meanwhile, CIOs in individual trusts must continue scanning the horizon constantly for the next threat – and focus on ensuring that mundane IT tasks don’t prove the weakest security link when it strikes.