In January 2017 the Health Service Journal reported a significant failure in cyber security, saying that a “major leak of patient data or a cyberattack that means health services across an entire region are flying blind for many days is overdue and yet completely absent from the risk registers of most NHS organisations”.
The attack begins
On May 12th, the “overdue” attack arrived and spread across the NHS, with trusts being targeted by a major ransomware campaign. There was a large outbreak of ransomware that spread at a rapid rate globally and also seemed able to spread internally within a network once the first host is compromised. At least 50 hospitals and community services have been affected, while CCGs and GP practices in some areas have also stopped using their computers. The attack has almost certainly had an impact on patients: some hospitals have diverted emergency ambulances, asked patients to go elsewhere, and cancelled elective care. Services affected include X-ray images, pathology test results, phone and bleep systems, and patient admin systems.
NHS Digital believes the malware used is Wanna Decryptor, (aka WCry, WannaCry, and WannaCryptor). Microsoft released a patch earlier this year to address the vulnerability that Wanna Decryptor exploits, but it appears that a number of hospitals and other users have not applied the patch. Dan Sloshberg of cybersecurity firm Mimecast, argues that: “Patient safety is at risk today because of archaic security across much of the nation’s critical IT systems. Studies consistently show that email is the number one attack method used to spread malware that holds critical services to ransom. A cyber resilient nation requires defence in depth security and continuity plans to keep critical services running every time they are attacked.”
There have been ransomware attacks on trusts before – such as Northern Lincolnshire and Goole in 2016 and Barts Health in January 2017 – but nothing on the scale of this attack. The attacks that have taken place do not appear to be targeted attacks; instead they appear to be part of a phishing campaign, though that has not been fully confirmed, according to Allan Liska, Senior Solutions Architect at Recorded Future.
Recovery from the attack
David Kennerley, Director of Threat Research at Webroot, said: It goes without saying that organisations should test their disaster recovery plan (DRP) regularly. This will help them understand the time it will take to restore systems to a useable state and what data is likely to be lost due to back up schedules. If this disruption is due to ransomware it will be interesting to hear what option the Trusts intend to take. Let’s hope they are all prepared, with the required backups readily available. The danger with paying the ransom is there’s no guarantee they’ll recover their encrypted data and this only makes ransomware more successful in the long run for hackers.
Israel Barak, CISO at Cybereason, described how these attacks are planned and carried out: “We know that ransomware purveyors are often savvy e-marketers that know their targets, and it is not uncommon for a ransomware gang to run multiple campaigns at the same time, with tiered pricing based on a variety of parameters such as vertical industry, region, age, etc. However, the attacks on the NHS Trusts across the UK seem to show particularly ruthless calculation even by criminal standards, banking on the Trusts having weak defences and being especially desperate to restore access to their systems due to health and even lives being at stake.
While ransoms have surpassed the hundreds of thousands mark, the goal is to set a price that makes it either cheaper or easier for the victims to pay the ransom then to recreate or restore the compromised systems, especially when the victim has a sense of urgency. Today’s ransoms show that this can still be very costly, especially when it comes to lost operational time and data. We’ve seen many examples where companies didn’t have the proper backups in place and decided to pay the ransom so that they could resume normal business operations, and that will obviously be a pressing concern for the affected Trusts.”
John Madelin, CEO at Reliance acsn, adds: Hospitals can make particularly soft targets for hackers due to the need to focus on putting tight budgets into patient care. As with other organisations, there is also a tendency to use an array of cyber-defence systems which inevitably work in silos and this very patchwork of ‘protection’ lulls institutions into a false sense of security when in reality they’re incredibly exposed. “Security strategies in the healthcare sector need a holistic treatment, with a more integrated, better executed, end-to-end approach – rather than multiple stand-alone security solutions working in siloes. The healthcare sector can engineer a culture-shift that will make it more resilient to cyberattack, allowing it to provide better care and prevent the need to cancel operations and treatments because of their networks being targeted by hackers.
There could be consequences beyond the disruption of medical services. Creighton Magid, a partner at the international law firm Dorsey & Whitney, commented “Although much of the focus in cybersecurity is in preventing data breaches, this attack points to the potential for an entirely different type of damage: shutting down entire businesses, hospital systems, banks, and critical infrastructure. Let’s hope that the attack on the National Health Service in Britain is simply a matter of inconvenience, and that nobody is denied essential care. But what happens if someone is, and is harmed as a result? What if a US hospital were attacked similarly, and someone’s health were to be seriously impacted? Beyond the human tragedy, it would suggest possible new liability targets, starting with the hospital that failed to ensure that it had updated all of its patches.”
Law firm Kemp Little’s head of data protection and privacy, Nicola Fulford, underlined this by saying: this is a stark reminder that everything is potentially vulnerable – and every business has a responsibility at some level under the law to protect against it even if absolute prevention is impossible.”
When the government announced unfavourable changes in taxes for self-employed staff a lot of IT technicians sub-contracted to NHS Trusts stepped away from their roles, leaving the NHS vulnerable to assaults like the present one. And some IT experts argue that the root cause of this attack was the use of non-standards- compliant internet browser technology used by Microsoft in the widely used Windows XP software. There is better, safer software that should be used. The Secretary of State for Health has told NHS Trusts to strengthen their IT defences (a pretty obvious response), whilst not conceding that his government’s budget squeeze has increased rather than decreased vulnerability to cyber attack.