Insights

Alan Hunt: 6 minute read

Managed security systems could have helped the NHS mitigate against the fallout from the WannaCry attack

Two years ago the world bore witness to a cyber-attack that did not limit itself to one sector or country. Managed security services could have helped to address the balance and mitigate against the fallout but is this a fair assessment? Did the government do enough to protect people and the NHS?

WannaCry fired the first volley on the 12th May, with the emerging cost to the NHS being estimated at £92million. This is in regards to the disruption to services and IT upgrades. The wider picture seeing the attack affecting an estimated 200,000 computers across 150 countries, with the total damage reaching the billions.

What made the attack different?

Other than the scale of the attack, it was the shattering of another perception that our emergency services are impervious to attack. Confidence in frontline services is essential as they operate 24/7, being relied upon to save lives. The NHS is essential and any drop in service cannot be deemed acceptable, as, beyond the money, there is the cost to life.

Some industries need to be elevated in our minds as they go above and beyond. They give without thinking and should be heralded as such because they keep the beating heart of society going. They should not be seen as vulnerable, they should be seen as towering pillars of resolute determination. We have faith that they will always be there when needed. Seeing the NHS brought to its knees by a cyber-attack was humbling.

We grow up with the confidence that the emergency services will always be there. We don’t want to hear that the entire infrastructure was damaged by a cyber-attack. It makes us feel vulnerable and we need to believe in them. By targeting and successfully taking down the NHS, the attackers showed that the service was vulnerable.

How did it happen?

The vulnerability was known but hands were tied. Funding as we know in the NHS is limited, with headlines consistently pointing to the debt that the service is in. The scarce funding that was available in this scenario was used on clinical rather than IT projects, which is understandable given operational priorities.

The attackers preyed upon this. They took advantage of older computers that had not downloaded and installed patches that Microsoft had released. Whilst the infection was not solely spread by these computers, it was largely propagated by them. The lack of up-to-date defences proving to be costly.

Out of date software and security that was not up to scratch are two statements that you do not want to hear about the NHS. You want to have it in your head that the NHS is utilising state of the art equipment that speeds up diagnosis and treatment. You want to hear that it is impervious to attack, protecting you and your family, forever.

Whilst the NHS remains resolute, it is still run by humans, who whilst being dedicated to the preservation of life, make mistakes. When saving lives is your main concern, it is easy to see where cyber security can fall through the cracks.

It is a lesson in that your organisation is only as strong as its weakest link. When you are relied upon as much as the NHS, you can never afford to take a chance. Every layer is important, from security to management and equipment.

What was the response? 

Thankfully the virus was stopped in its tracks within a few days due to patches released by Microsoft.  These patches had been made previously available but had in large not been applied to the network. In addition to this, a kill switch was discovered that prevented infected computers from spreading the virus.

The total time in which it lasted was less than a week but still today, its effects are felt. The NHS has made improvements and steps towards upgrading security procedures but the lack of funding is hampering efforts. This is something that will unfortunately not be leaving anytime soon. Whether we like it or not, the NHS is a political minefield.

Political implications emerged from WannaCry over the handling of the NHS. In particular, the continued underfunding, which was heightened following the attack. The arm of the NHS that is responsible for cybersecurity strategy, NHS Digital, refusing to finance the estimated £1 billion required for all NHS organisations to meet the Cyber Essential Plus standard.

The Cyber Essential Plus standard

Whilst £1 billion is a considerable sum of money, it is less than 1% of the £145bn+ that is spent on the NHS each year. When you consider the financial and human impact of cyber-attacks on the NHS, it would seem a sensible investment. 

Cyber Essentials Plus tests the regimes that organisations have put in order to qualify as Cyber Essentials certified. To be certified to this level, organisations need policies and procedures that say they will patch high and critical vulnerabilities within 14 days of being available. Cyber Essentials Plus test this to see if what is written down, is accurate.  

Whilst this testing and continual improvement of any type of defence to ensure that it is still accurate, is recommended, is it worth the £1billion pounds required to get the system up and running? NHS Digital did not think so.

Austerity is still an issue for the UK Government and NHS Digital claimed that for all NHS organisations to be Cyber Essentials Plus would not provide value for money. They do see this area as crucial though and have already spent £60 million on upgrading defences. A further £150 million over the next two years has also been promised.

Could it happen again?

Yes. Of course, it could. Cyber is the new battleground and for every defence, there is an effective countermeasure that is being devised. It is now more of when than if your organisation will be attacked, with thousands of breaches happening each day. Many of these often end up being undisclosed as the organisation is unaware that a breach has even occurred.

There is no silver bullet that will stop all attacks, but suitable actions should be taken to minimise risk and reduce the significant impact these attacks deliver.

Cybersecurity is a 24/7 operation and needs to be administered as such. Unfortunately, NHS organisations and local authorities are under-resourced and tend to have access to the wrong tools to provide suitable defences against the global network of hackers.

It can no longer be left to a weekly scan when you consider the sheer volume of attacks that can happen on a daily, even hourly basis. You need round the clock protection to ensure that your data is secure and this is never more important than when you are referring to the NHS.

What can you do? Security infrastructure

Our ECLIPSE Security and Governance division have created a Managed Security Service that works with the organisation in question. It sits in the background and steers the ship to ensure that whilst you work, it protects. How does it do this?

The service pulls together every part of the organisation in question, from firewalls to physical laptops and login attempts. These are then monitored by the Threat and Vulnerability Management System, which provides real-time information regarding vulnerabilities within the organisation in question. These are then collated with real-time threat feeds from the Open Threat eXchange.

Could it have prevented the WannaCry attack? That is difficult to say but what we do know is that it could have been a great weapon in dealing with the threat, quicker. It could have been picked up, isolated and dealt with in a swifter manner. The appropriate response then loaded and distilled down.

Central Bedfordshire – Live with Managed Security Service

This open exchange of threats from around the world adds into the protection provided, creating a holistic and contextualised security infrastructure. The service has been in use with Central Bedfordshire Council for nearly a year and has resulted in improvements to cyber defences and the suppression of critical vulnerabilities and incidents.

Although the Managed Security that ECLIPSE Security and Governance provides, detects many security events per day, only events of real consequence are reported to Central Bedfordshire. This is typically less than 10 per day and is decreasing as the security posture improves. This means that Central Bedfordshire IT staff are supported in defending the council’s defences at critical moments rather than being drowned in data.

What can you do? Educating staff

Whilst the underlying technology is incredibly important, the knowledge of staff also needs to be improved. It’s very easy to point fingers in hindsight at someone that has clicked a link they shouldn’t have but with attackers getting more sophisticated, the level of training needs to be increased. Knowledge is power and in the battle against the cybercriminals, we need to know what we are dealing with.

By taking the time to step back, looking at the technology that defends you and combining this with staff training, you can create a preventative culture. One in which there are still risks but these have been minimized as much as possible. You can never remove risk altogether from life but you can ensure that contingency plans are in place.

You can ensure that members of staff know the risks, receive training on induction and apply these in their day-to-day lives. Only by training your staff and arming the company with the most suitable technology for the job can you begin to counter the threat. The internet is an amazing space but it needs to be treated with respect.  

Conclusion

WannaCry was arguably, inevitable.

The lack of funding proved to be a ticking time bomb. All that was missing from the equation was someone willing to place their morality on the backburner. Healthcare staff look after millions of people every year. They rely on technology more than they know to ensure that records are complete, scans can be made, payments completed and people can receive the best care possible.

We can sometimes miss how reliant we are on technology. WannaCry taught us that there is always someone out there that is willing to try to profit from people’s pain. We need to ensure that we have the best protection possible to ensure that when breaches occur, they are managed in the most efficient manner possible.

By utilising technology solutions such as Managed Security Services, you are able to take a breath, as they operate 24/7. They share threats around the world and develop countermeasures that can then also be shared. This is how we protect our services, by working together and taking a pro-active approach to ensure that the care of patients is the number one priority, always.