After the WannaCry attacks in May 2017, many Scottish NHS health boards have still not updated their computer systems.
The attack last year had a crippling effect on the NHS: hospitals and surgeries were locked out of their own essential systems, an estimated 19,000 appointments were cancelled and the total cost of damages is still unknown.
Almost 3,000 of NHS Lothian’s 19,251 computers still run on Windows XP (almost 15 %); Microsoft hasn’t provided support for this system since 2014 and its last significant security update took place in 2008, in addition to a one-off patch that was released last year to prevent the spread of ransomware material. As such, any organisation that still uses Windows Xp is particularly vulnerable to exploits.
Although the NHS Lothian was not affected by the WannaCry attack, the Shadow Health Secretary has stated that it is “completely irresponsible” for it to be working on an out-of-date computer system.
Scottish Public Sector Cyber Resilience Framework and the NIS Directive
A Scottish Government spokesperson has said that “[a]ny suggestion that NHS Lothian has been left ‘at risk’ are simply not true. Scotland’s public sector organisations take cyber security very seriously.”
The spokesperson has indicated that NHS Scotland are working towards achieving the requirements of the Scottish Public Sector Cyber Resilience Framework in addition to the upcoming EU Directive on security of network and information systems (NIS Directive) by outlining requirements for developing cyber resilience, as well as regulating compliance with these requirements.
The NIS Directive requires operators of essential services (OES) and digital service providers (DSPs) to implement effective security measures appropriate to the associated risks, as well as measures to minimise the impact of incidents and ensure business continuity. The NHS is considered an operator of essential services.
Developing your cyber resilience
The deadline for transposing the NIS Directive into national law is 9 May 2018 – less than two months away – after which national governments are given a further six months to identify their OES. However, many organisations are still woefully unprepared for the NIS Directive and leaving their systems vulnerable to crippling cyber attacks.
A robust cyber resilience programme is critical to ensuring that your organisation doesn’t just identify, detect and protect itself against potential risks, but can also respond and recover, should a disruption occur.
Although this may seem like a substantial project to undertake, IT Governance provides expert advice on developing your cyber resilience in line with the NIS Directive’s requirements in our free green paper.