A summary in case the recent WannaCry ransomware pandemic has somehow passed you by:
- The US NSA (National Security Agency) Equation Group’s EternalBlue exploit and DoublePulsar payload were stolen by a group of criminals known as the Shadow Brokers last August and dumped online in April this year after attempts to auction them and other NSA ‘cyber weapons’ were unsuccessful.
- EternalBlue exploited a number of remote code execution vulnerabilities in version 1 of Microsoft’s Server Message Block protocol.
- Microsoft patched the SMB server vulnerabilities for supported versions of Windows in March, but older systems, such as Windows XP, Windows 8 and Windows Server 2003, remained vulnerable.
- Last Friday, someone – inevitably associated by some researchers with North Korea – combined EternalBlue and DoublePulsar, and used them to spread ransomware to unsupported and unpatched Windows systems via the SMBv1 server flaws, encrypting files and locking down systems until a bitcoin ransom was paid.
- This attack, dubbed WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor/Wcry, spread quickly from its initial outbreak in Spain, affecting some 200,000 victims in 150 countries – including the UK’s NHS. A number of hospitals were forced to cancel procedures as a result of the attack.
- In an unprecedented move, Microsoft issued patches for unsupported versions of its products in an attempt to stop the WannaCry ransomware spreading further, saying: “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. […] we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.”
NHS use of Windows XP
Support for Windows XP ended in 2014, whereafter the government paid Microsoft £5.5 million to extend support for another 12 months and urged NHS organisations to “put in place robust plans to migrate away from Windows XP” by 14 April 2015. The custom support deal ended in May 2015, leaving any NHS organisation using the defunct operating system vulnerable to attack.
Unsurprisingly, a number of NHS machines still use Windows XP, but the exact number is disputed: according to the Defence Secretary, Sir Michael Fallon, 5% of NHS computers still use the out-of-date operating system. Last September, however, a Freedom of Information request from Motherboard found that 42 NHS trusts used XP, suggesting the percentage is much higher.
NHS, WannaCry and data protection
In July last year, the Quality Care Commission (QCC) – the independent regulator of health and social care in England – issued a report called Safe data, safe care: Report into how data is safely and securely managed in the NHS.
Its opening remarks were: “Good information underpins good care. Patient safety can only be assured when information is accessible, its integrity is protected against loss or damage, and confidentiality is maintained.”
Accessibility is key here. The fact that thousands of patients were unable to be treated by the NHS is, without question, a data breach – personal data was rendered unavailable for the purposes for which it was collected.
While the Data Protection Act 1998 might not mandate action, its replacement, the GDPR (General Data Protection Regulation), certainly will.
NHS funding is, of course, a political issue, and for each person who understands the value of technology to the service there is another who wants to know why trusts should spend money on computers instead of nurses. Perhaps this incident will put that into perspective.
Irrespective of the many reasons for the NHS’s failure to move on from an operating system that is no longer vendor-supported, under the GDPR this incident would trigger fines of up to 4% of revenue for every one of the breached institutions.
Furthermore, the Directive on Security of Network and Information Systems (NIS Directive), which requires critical national infrastructure organisations such as the NHS to have cyber security and business continuity programmes in place, and which also carries monetary penalties on the same scale as the GDPR, would also trigger significant fines for breached organisations.
It is a certainty that where there has been a breach in the past there will be one in the future, so it is likely to be far less expensive for NHS organisations to comply with the law and upgrade their systems and data security regimes than risk further fines.
How to comply with the GDPR
With just over 12 months to go until organisations need to comply with the GDPR, now is the time to get prepared.
Take the first step towards compliance by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
This must-have guide details:
- The GDPR in terms you can understand
- The obligations of data controllers and processors
- What to do with international data transfers
- Data subjects’ rights and consent
- And much more.