The WannaCry attack which took place in May 2017 was a global event, hitting 150 countries worldwide. But it was a particularly significant event for UK healthcare providers, with more than a third of NHS trusts in England disrupted by the ransomware virus which encrypted data on infected computers and demanded a ransom to release it.
According to a National Audit Office report into the NHS handling of the event, almost 7,000 patient appointments were cancelled because of the attack, which was entirely preventable. The NAO found that NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. An assessment of 88 trusts by NHS Digital before the attack found that none passed the required cyber-security standards.
Although there was no evidence that any NHS trust paid a ransom to the creators of the virus, and NHS England claims that no patient data was stolen, the total financial cost of the incident is unknown. The hit to reputation and the disruption to normal business was certainly significant and the cost is likely to have run into several millions of pounds across the NHS.
In its response to the NAO, the NHS has already accepted that there are lessons to learn from WannaCry and it has promised to develop a response plan. The NHS will now ensure that critical cyber-security updates, such as applying security patches, are implemented promptly by IT staff. And it is probably reasonable to assume that the NHS defences against this type of low-level attack will be much more robust than they were previously.
But the problem going forward is twofold. The first is that the NHS and its associated agencies, comprise such a vast and disparate network, including thousands of hospitals, GP surgeries, dental practices and care homes, that rolling out administrative directives from the centre is always going to be almost impossible to police effectively.
The second is that the threat from cyber-attack is a constantly evolving one and if a relatively low-level attack such as WannaCry could get through so easily, then more sophisticated attacks will pose an even greater risk. When well-funded commercial organisations like banks and telecoms companies fall to the cyber hackers then underfunded organisations in the public sector, over reliant on legacy IT systems, will remain at significant risk whatever steps they take. The only safe working assumption is that at some point your network is very likely to suffer a breach. This might be large or small but it will take place.
“WannaCry was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Sir Amyas Morse, NAO comptroller and auditor-general
Given the highly sensitive nature of personal data held by health care providers, and the additional reporting requirements imposed by the GDPR in the event of a data breach since May 2018, then every health care agency must now raise their game in this crucial area and put in place incident response plans.
A notifiable breach must be reported to the ICO within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Of course, cyber-attacks are only one of a range of business disruption incidents to which health care providers are vulnerable. In fact, you might be surprised to learn that even though cyber-attack is the top-rated risk for health and social care providers, it does not feature in the top three of actual events. According to the Business Continuity Institute Horizon Scan 2018, the top three actual business disruption events in the health and social care sector are unplanned IT and telecoms outages, adverse weather and interruption to utility supply.
What steps can be taken to mitigate business disruption events?
There are several steps that every organisation can take to prepare themselves for the kind of unexpected disruption that the WannaCry virus caused within the NHS. This way you can be ready for the event, even if you don’t know what it is going to be or when it is going to strike.
Make sure that you have a business continuity (BC) plan which is fit for purpose
Make sure that your BC plan, and action plans, will be available to you under all circumstances
Review your risk register to make sure that it covers all your possible threats
Managing Director, Crises Control