- Posted Wednesday November 29, 2017
On 30th October the National Audit Office published a report on the NHS response to the cyberattack in May 2017. The report stated that the attack could have been easily prevented if the NHS followed basic IT security practices for what is considered an “unsophisticated cyber-threat”.
It also identified that there was no structured continuity in the event of a computer virus, as well as recommending that all practices should be more aware of their basic IT responsibilities and keep their security is up to date.
WannaCry was the largest cyber-attack to affect the NHS, although individual trusts had been attacked before 12 May 2017 - Northern Lincolnshire and Goole NHS Foundation Trust had been subject to a ransomware attack in October 2016, leading to the cancellation of 2,800 appointments.
It’s what is known as ‘ransomware’ - programmed to run in 27 languages and capable of infecting machines by spreading itself through any IT network like the NHS N3 infrastructure. When it infected a PC, it would silently infiltrate the operating system, restart the computer and encrypt the hard drive, making it impossible to log in to see any information without this new encrypted password. It would then come up with the message saying that the user was locked out, and they could only get access if they buy the encryption key (hence the term “ransomware”). A Practice Manager recounted what happened on that day;
“On the evening I got a call from a practice who said they were told to switch off all their PCs and servers because of an attack on our systems. I rang one of the IT managers I knew quite well and he said that an email notification went out to everyone to switch everything off, not to log-on to their servers and machines for fear of being attacked.”
The attack affected Windows-based operating systems (the report says that Windows 10 was deemed secure). Much of the report focuses on the results of the attack on NHS Trusts, but they think that 603 primary care organisations were infected:
- 593 GP Practices were infected by the attack
- 8 other primary care organisations infected and locked out of devices
- 7 GP Practices not infected but reporting disruption
- 32 of the 37 trusts infected were in the North or Midlands
NHS Digital said that no patient data was compromised or stolen in the attack. From May to September, both NHS Digital and NHSE identified a further 92 organisations that were affected. Marcus Hutchins, a self-taught security expert working from a bedroom in his parents’ house, activated a ‘kill-switch’ that shut down the virus.
WhatsApp to the Rescue
NHS England, NHS Digital and the National Cyber Security Centre were all part of the incident response – for practices, there was a lot of phone calls from Friday and through the weekend on what’s happened, who’s done what, cancelling and re-booking appointments and asking when everything will be back to normal. Notifications went out to patients about the disruption, but the majority were open the following Monday with a full service.
However, without a clear response plan, local organisations reported the attack to different organisations, including the local police. The lack of email access also compounded the communication with the chain of command, and some practice groups were using WhatsApp to stay in contact.
One Practice Manager described what happened;
“All over that weekend the IT team went in and tried to patch the update to all the servers, but to do this they needed to switch the servers back on. They emailed their contacts to tell them to start up their servers, but because practices were told not to open or log on to their emails, nobody got the message! I had to act as the co-ordinator and call the practices to say “you’re OK to open that email, it’s genuine”, but people were afraid to do so in case it was another virus. It was an odd situation to be in – “don’t open the emails, but we’ll email you to open an email to fix the problem!”
“I had to text managers and speak to them via Whatsapp again to say they can open the NHS email from ‘xxxx’, there’s nothing to be worried about, you need to get your servers back on. Some of us went back in on Saturday to switch the servers back on, so that’s about 100 or so practices in my area, and then the IT guys were able to remote dial and put the patch on the server.”
Could It Have Been Prevented?
Jeremy Hunt as Health Secretary asked the National Data Guardian and the CQC to undertake reviews of data security in 2016. Even though the report recommended action to be taken, the DoH’s response to the assessment wasn’t completed until July 2017, two months after the WannaCry attack, and 4 months after Microsoft released the security update that could have guarded practices against the ransomware.
Before the WannaCry attack, NHS Digital offered an on-site ‘cybersecurity assessment’ known as ‘CareCERT Assure’ (this inspection was voluntary). By 12 May, NHS Digital had inspected 88 out of 236 trusts and none had passed. They also found that in general, trusts had not identified cyber-security as being a risk to patient outcomes, and tended to overestimate their readiness to manage a cyber-attack. The report also states that the CQC will review their line of questions regarding information and digital systems as part of its inspection of the leadership of trusts in the future.
Will It Happen Again?
The IT community is already bracing for the next wave – the latest one that has hit businesses in September is called ‘Locky’, which has already hit Europe, the US, South America, India and parts of Asia. The most likely way it enters IT networks is through ‘phishing’ - emails that claim to have printer/software updates or invoices that need paying, with a suspicious attachment like a .zip or .exe file that once opened will bury themselves in the operating systems and networks waiting to attack.
The report doesn’t really address that most practices aren’t responsible for their own IT – even if a tech-savvy PM knew what needed to be done, the implementation still rests with the IT provider to ensure the systems are updated and secure. If practices ask the question “are my systems and protection up to date” then that would fall to the IT teams to answer.
Microsoft informed the public that there were vulnerabilities in January 2017, and released a patch in March – all the admin rights for practice IT systems are with the local IT teams, to the point that practice staff don’t get to install a printer without the local IT dialling in to set it up for them.
The government already cut security support for the NHS’s outdated computer system, despite warnings it would leave hospitals open to hackers. The Government Digital Service, set up by David Cameron, decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP. NHS bosses were told to replace the 14-year-old system or take out a separate deal with Microsoft.
Without a clear response plan, local organisations reported the attack to different organisations, including the local police. The lack of email access also compounded the communication with the chain of command, and some practice groups were using WhatsApp to stay in contact.
The report identified that the NHS had not prepared or rehearsed for a cyberattack on a national scale, and as a result it was not immediately clear who should lead the response – the attack began in the morning but NHS England didn’t declare it was a major incident until 4pm. Without a communicated IT Continuity plan, local groups were not clear on who was co-ordinating the efforts.
A PM told First Practice Management: “I’m pretty sure that if I hadn’t stepped up to co-ordinate things, come Monday morning it would have had a much bigger impact on service than we could have coped with, so I think there was an awful lot of lessons to be learned from what happened – the contacts, the contingency planning, the communication didn’t go down as well as it should, and it could have been much worse.”
When the virus hit that Friday, it was not an isolated incident that practices had to fix – the inherent organisational structure of the NHS meant that there were issues with communicating the problem to the right people. The lack of a continuity plan to deal with this situation meant there was a ‘hit and miss’ response.
Going forward, practices will need some kind of measure of what being up-to-date means from a security point of view, and for the IT teams, CSUs, CCGs and Federations/GP Groups to work together to create a robust plan of action on what will happen during another attack – which, according to the world’s IT security experts, is inevitable.
IMPORTANT QUESTIONS TO ASK ABOUT YOUR IT CONTINUITY PLAN;
AWARENESS: Are all our employees aware of security threats and understand IT security best practices?
COMPLIANCE: Is everyone aware of (and compliant with) security protocols?
POLICIES & PROCESSES: Do you have the right robust and appropriate information security policies and processes in place?
TRAINING: Are all employees aware of practice policies and processes, and do they understand how to apply them to their working practices?
PREVENTION: Are all the tools/services in place that would enable you to prevent an attack taking place and impacting on patient care?
DETECTION: Do you have tools/services in place to detect an attack breaching your IT defences?
REACTION: If an IT breach took place, would you be able to react and effectively remediate and recover?
There is more information from the National Cyber Security Centre (part of GCHQ) on their dedicated page ’10 steps to Cyber Security’
First Practice Management members can access a wide range of regularly updated draft policies and documents relating to information security and governance from our Policies and Procedures Library.