A Public Account Committee (PAC) released its latest report today, reviewing the impact and response to the WannaCry cyber attack targeting healthcare.
The attack in May 2017 affected 80 of the 236 NHS Trusts, and 603 NHS organisations overall across England and Wales. The widespread disruption to patients was well-documented in the press.
The latest report, which follows the Department of Health and Social Care (DHSC)’s review published in February 2018, found that although NHS bodies were unprepared for attack, the consequences could have been much worse. The report highlights that cyber threats are evolving and that future attacks are likely to be much more sophisticated, and can result in the theft or compromise of patient data.
The report makes six conclusions and recommendations following its findings, summarised below:
- The NHS was not prepared for an attack such as WannaCry, and there is still “a long way to go” before sufficient cyber security defences are in place across the NHS.
- Communication during the attack was uncoordinated, and no alternative communication method was available when email was not an option.
- Although we do know about the state of cyber-readiness in the NHS now, national bodies such as the DHSC have to do more to support NHS Trusts in meeting cyber security standards.
- Without a formal estimate of the cost of WannaCry, national and local organisations cannot make informed investments in cyber security.
- Some NHS organisations are unable to apply updates to their IT systems without disrupting “other parts of IT systems or the operation of equipment vital to patient care”.
- While the WannaCry incident has a substantial impact on the NHS, all government bodies need to learn lessons from the incident and update their practices to minimise the risk and impact of future attacks.
The report recommends that organisations “urgently consider and agree implementation plans” to improve cyber security across the NHS. The report also recommends that the DHSC delineate clear roles and responsibilities for local and national bodies in the event of a cyber incident to improve the response to potential cyber attacks and effectively apply a business continuity plan to ensure that communication continues, even if certain means (such as email) become unusable.
In addition to NHS organisations, the report recommends that the governing bodies should “ensure that all IT suppliers and suppliers of medical equipment to the NHS are accredited and that local and national contracts include standard terms to maintain and protect NHS devices and systems from cyber-attack”. The focus on encouraging IT and technology equipment providers to ensure and maintain cyber security standards is likely to heighten as patient care increasingly relies on medical technology.
The report sets the deadline at the end of June 2018 for national bodies to collaborate on providing an estimate of the WannaCry attack’s cost and agreeing with local organisations on how to target future investment in line with the demand for services and the financial risk to local organisations.
Addressing cyber security
The three pillars of effective cyber security are people, processes and technology. The problem with today’s corporate environment is that we tend to focus on technology. We believe it’s the magic bullet for all ailments, but technology alone will not protect your critical assets.
Security analysts must investigate how people and technology interact to determine possible threats, and decide on appropriate processes to at least partly mitigate those threats. Detailing this process step by step can help bridge the gap between people and technology, and expose vulnerabilities.
Performing a cyber security audit helps to identify the threats, vulnerabilities and risks your organisation may face, and the impact and likelihood of such risks materialising
Cyber Incident Response (CIR) management
The PAC report highlights how cyber attacks continue to make headlines, even after almost one year since they occurred. As cyber attackers gain ground, the threat of becoming the victim of a data breach is now an imminent reality for all organisations. The damage, both short and long term, can be substantial.
The speed at which you identify a breach, combat the spread of malware, prevent access to your data and remediate the threat will make a significantly help control the risk, costs and exposure during an incident. Practical incident response processes can detect incidents at an early stage and reduce the risk of future incidents occurring.