Nearly a year since WannaCry and all 200 National Health Service trusts failed cybersecurity assessments
The global WannaCry attack that crippled business operations across the globe happened almost a year ago. But since falling victim, the U.K. National Health Service has yet to fully implement the necessary cybersecurity requirements that would prevent a similar fate if an attack struck again.
A new report from the U.K. Commons Public Accounts Committee outlines how unprepared the health system was before the attack in May. Its hospitals and clinics were shutdown and 20,000 appointments were canceled. For some of its trusts, systems didn’t return to normal service for a number of weeks.
The crux of the issue was governance and silos, according to the report. Officials didn’t know whether organizations were prepared for a cyberattack and relied too heavily on the local trusts’ assessments of their governance.
But even a year out from the attack, both the government and NHS have a long way to go to ensure its systems are prepared for the next virus. In fact, none of the 200 trusts passed the cybersecurity assessment by NHS Digital.
The investigation into the health service by members of parliament found some of the trusts failed the assessment “not because they had not done anything on cybersecurity, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar.”
The Cyber Essentials Plus is comparable to the U.S. NIST Cybersecurity Framework.
“However, some trusts had failed the assessment solely because they had not patched their systems – the main reason the NHS had been vulnerable to WannaCry,” the report read. “It’s also concerned that trusts that were not infected by WannaCry could become complacent over cybersecurity and not keep on top of their cybersecurity risks.”
The lack of patching is concerning, as that was how WannaCry was able to inflict so much damage.
The malware was powered by the leaked NSA hacking tool EternalBlue, which targeted a vulnerability in outdated Windows software. While Microsoft released a patch for the flaw in March, it wasn’t applied by many organizations. As a result, WannaCry proliferated across the globe.
NHS England and NHS Digital officials told investigators they were still struggling to apply patches due to the size and scope of the trusts.
“Patching can disrupt the use of medical equipment and present a clinical risk to patients, and applying a patch in one part of an IT system can cause disruption elsewhere in that system,” NHS officials told the MPs.
But the MPs stressed that with proper segmentation and firewalls, those systems could still be protected.
Another issue hindering progress on its cybersecurity front is that the Department of Health “still does not know what financial impact the WannaCry cyberattack had on the NHS.” The MPs gave NHS until June to update the cost plans for its crucial cybersecurity investment.
And more concerning is that while NHS Digital told investigators understanding cybersecurity needs at a local level was a priority, officials lack some key information “to manage any future national attack on NHS such as on the use of anti-virus software and IP addresses.”
NHS is also struggling with the global security talent shortage and told the MPs “it has only 18 to 20 ‘deeply technically skilled people.’ Without the right staff in place, it will be difficult to apply the necessary changes.”
However, the investigation said WannaCry was “a wake-up call for NHS.” And since the attack, NHS and the government have “improved their understanding of local organizations’ readiness for another cyberattack.”
NHS Digital has assessed the cybersecurity readiness at 200 trusts, compared to just 88 assessed before that attack. And those assessments, despite all failing the readiness test, revealed to NHS Digital the most vulnerable trusts.
“WannaCry was a financially motivated ransomware attack, and as such relatively unsophisticated (it locked devices but did not seek to alter or steal data),” the report read. “However, future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data.”
“The department and its arms-length bodies accept that cyberattacks are now a fact of life and that the NHS will never be completely safe from them,” it added.