In May 2017, a ransomware programme known as WannaCry infected hundreds of thousands of devices across the world. In the UK, the NHS was one of the organisations most severely affected by the ransomware. While individual trusts had experienced cyber attacks before, the WannaCry attack quickly became the largest ever to affect NHS England.
A recent report from the National Audit Office (NAO) concluded that while the exploits used within the ransomware were technically advanced, WannaCry itself was a relatively unsophisticated attack that could have been mitigated if the NHS had followed basic IT security good practice. However, it must be noted that while the security measures that could have helped mitigate the WannaCry are basic, their implementation is not—particularly within a complex organisation such as the NHS.
The investigation from the NAO revealed several lessons around cybersecurity not just for the NHS, but for similarly large public sector organisations. If lessons from the WannaCry incident are not taken on board then we could see other severe cyber attacks strike the NHS and other public sector organisations in the future.
Firstly, cyber preparedness needs to be sufficiently prioritised. The NAO report states that a year before the WannaCry attack, the NHS and the Department of Health had been warned by the National Data Guardian and the Care Quality Commission (CQC) about the risks of cyber attacks and the need to respond to them. A big part of cyber preparedness is making sure cybersecurity is sufficiently prioritised financially in order to deal with the range of threats.
Secondly, there needs to be more awareness of the risks and potential consequences from cyber attacks. In the lead-up to the WannaCry attack, NHS Digital found that many trusts had failed to identify cybersecurity as a risk to patients or care outcomes and that trusts tended to overestimate their ability to respond to cyber incidents.
Thirdly, the central coordination and preparation to deal with cyber attacks need to be translated into local resilience. The NAO report noted that the NHS centrally and the Department of Health were relatively prepared for a severe attack, but local trusts and bodies were not.
There was also confusion about the roles in dealing with cyber attacks at a local level. NHS Improvement and the CQC can mandate local NHS bodies to improve their performance, but neither is primarily concerned with cybersecurity or IT. In contrast, NHS Digital provides cybersecurity advice and guidance, but cannot mandate local action, even in the presence of a confirmed vulnerability or threat.
Finally, effective crisis communication processes need to be in place. The absence of clear processes amplified the impact of the WannaCry attack, with different local NHS bodies reporting the attack to different authorities including the police, NHS England, NHS Digital, and the National Cybersecurity Centre. The NAO report notes that this made it difficult to understand the full scope of the attack, and also resulted in patients receiving, in some instances, contradictory information from multiple sources, which added to the confusion.
The NHS has accepted that there are lessons to learn from WannaCry and is in the process of taking further action to address the risks from further cyber attacks. The good news is that the attack could have been worse, which is recognised within the NAO report. However, the same report also states that a similar attack is likely in the future.
In many ways, the WannaCry attack acts as a warning for the NHS and other public sector organisations that their cybersecurity processes need to be improved and fast before a more severe cyber attack takes place. The solutions to deal with the cyber attacks are relatively straightforward. The challenge will come from implementing these solutions within the complex web that the NHS and other public sector organisations comprise.
Erik Silfversten is an analyst at RAND Europe whose specialist area is cybersecurity. The op-ed is based on analysis that originally appeared on the Observatory for a Connected Society.
This commentary originally appeared on The BMJ on December 1, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.