The WannaCry outbreak has forced the UK's national health service to overhaul its crisis planning to put new measures in place to avoid further crippling cyber attacks.
A UK Department of Health and Social Care postmortem on the May 2017 WannaCry outbreak, published on Thursday, repeats the findings of previous UK government studies that the attack was preventable in retrospect and caused all sorts of problems for NHS England, including delaying the first appointments of suspected cancer patients.
The study, Lessons learned review of the WannaCry Ransomware Cyber Attack, concluded the failure to apply available patches on Windows systems combined with poor isolation of vulnerable services from the open internet was to blame for a malware outbreak that affected one in three English NHS Trusts to a lesser or greater extent.
Health service staff were praised for the response to the outbreak, which has prompted the development of a comprehensive incident response plan, designed to better protect hospitals against future cyber-attacks.
The 42-page report makes 22 recommendations for NHS England, some of which have already been put in place. A "Cyber Handbook" has been produced to describe the approach and actions to be taken by NHS England, NHS Digital and NHS Improvement in the event of a cyber attack affecting the public health service.
The reports has made it clear a one-size-fits-all approach will not work across health and social care, so big hospitals need to take a different approach to security than smaller care facilities or GP surgeries, for example.
The "Cyber Handbook" does not detail local cyber response activities in any depth and should be tested alongside local and scaled approaches to cyber response including testing the mechanisms for communication between the wider system and local CIOs.
To date, 190 independent on-site cyber assessments of NHS Trusts have been undertaken. Whilst the wider cyber security programme is looking at addressing some of the shortfalls, these assessments have identified that most NHS trusts also need capital investment in areas such as addressing weaknesses in their infrastructure to secure networks by upgrading firewalls, improving network resilience and segmentation to minimise the risk to medical, improving device security through device replacement and automation of patch management, and improving anti-virus protection.
Chucking cash at CareCERT non-compliants...
Part of the response includes increased spending on information security. For example, a further £25m of capital funding has been identified in 2017/18 to support organisations that have self-assessed as being non-compliant against high severity CareCert alerts, strengthening hardware and software across the system. The Digital Delivery Board (the governing board for the Personalised Health and Care 2020 programme) reprioritised £21m capital to address key vulnerabilities in Major Trauma Centres and Ambulance Trusts, with 32 organisations receiving funding to improve cyber-preparedness.
Meanwhile a reprioritisation exercise is underway across the NHS IT portfolio to identify additional cyber investment between 2018/19 and 2020/21. “As part of this, an initial £150m has been identified focused on continuing investment in local infrastructure as well as national systems and services to improve monitoring, resilience and response,” the report stated.
The study underlines the new reality: that it’s a question of when and not if a new cyber-attack will hit.
“Our challenge is to ensure that the health and care system nationally, regionally and locally is equipped to withstand and respond to cyber attacks in an effective manner which minimises disruption to services and, most importantly, impact on our patients.”
A change in culture is also required.
But new procedures might not cure tech's headaches
The report concluded future cyber incidents have the potential to be both intense and difficult to resolve, a combination of factors that will stretch staff resources.
"The traditional nature of major incidents has been that they are either very intense, but are over with in a number of hours (such as a major traffic incident or physical terror attack) or they are long lasting but slow moving (such as strike action)," the report said. "Cyber attacks create the potential for a long running, highly intense incident. NHS England needs to ensure that it has the capacity to rotate its incident coordination centre and senior leadership to effectively manage the response."
The study provides a detailed look to date of the effects of the ransomware worm on the health service in England, one of the organisations worst hit by the worldwide attack.
The NHS responded well to what was an unprecedented incident, with no reports of harm to patients or of patient data being compromised or stolen. In total, one per cent of NHS activity was directly affected by the WannaCry attack.
The attack led to disruption in one-third of hospital trusts in England. NHS England data shows that at least 80 out of 236 trusts were affected – with 34 infected and locked out of devices (of which 27 were acute trusts), and 46 not infected but reporting disruption. A further 603 primary care and other NHS organisations were infected by WannaCry, including 8 per cent of GP practices (595 out of 7,454).
The review - put together by William Smart, chief information officer for the health and social care system at the Department of Health and Social Care - draws together the main conclusions from the NHS’s internal assessments with two national reviews (a National Audit Office investigation and a study by National Cyber Security Centre) and the conclusions taken from reports by local organisations.
The disruption to patient care has "made it even clearer how dependent the NHS is on information technology and, as a result, the need for security improvements to be made across the service."
Senior NHS Trust managers and board members will be held accountable for cyber security in future, the report said.
"Local organisations must ensure effective management of their technology infrastructure, systems and services, including the adequate patching of devices and systems, ensure sufficient network security and replace unsupported software," the report stated.
And inevitably, "Nationally, a new agreement with Microsoft has been signed [in August], which includes patches for all its current Windows devices operating XP."
NHS could have 'fended off' WannaCry by taking 'simple steps' – reportREAD MORE
As previously reported by El Reg and noted in previous national reports, unpatched Windows 7 systems, in particular, rather than residual reliance on long obsolete Windows XP boxes (which crashed rather than further spreading the worm) laid the groundwork for the WannaCry outbreak. Reliance on Win XP is nonetheless problematic and has been reduced.
The majority of NHS devices infected were running the supported, but unpatched, Microsoft Windows 7 operating system. Unsupported devices (those on XP) were in the minority of infected devices and the number of these devices has decreased in the last 18 months from 18 per cent to 1.8 per cent in January 2018.
None of the 80 NHS organisations affected by WannaCry had applied the Microsoft update patch advised by NHS Digital’s CareCERT bulletin on 25 April 2017 following the receipt of intelligence of a specific threat from BT on 24 April 2017.
Whether organisations had patched their systems or not, taking action to increase the security of their network firewalls facing the N3 network would have guarded organisations against infection.
How the sickness spread
The initial infection was likely through an exposed vulnerable internet-facing Server Message Block (SMB) port 30, rather than email phishing as initially assumed. Many organisation worldwide (including Chinese universities, Telefonica in Spain, Russia’s Interior Ministry and global firms like FedEx, Nissan and Renault) were also affected by WannaCry but the NHS in England was particularly hard hit.
As part of its incident response the NHS enacted its “mutual aid” processes in some parts of the country. This meant that where one A&E could no longer take patients, nearby A&Es stepped up to take their demand. During the incident, some patients from five hospitals travelled further for emergency treatment than normal. A minority 1.2 per cent or 6,912 of first appointments were cancelled and re-arranged between 12 and 18 May, the period when NHS England was dealing with WannaCry and its aftermath.
NHS England’s EPRR review identified at least 139 patients who had an urgent appointment for potential cancer cancelled between 12 and 18 May, representing approximately 0.4 per cent of urgent cancer referrals. "The disruption to secondary care had a knock on effect for primary care, for example on access to test results," the report added. "Third party systems were also impacted, for example DocMan, impacting the electronic flow of clinical information from secondary care to primary care services."
A total of 1,220 (1 per cent) pieces of diagnostic equipment across the NHS were affected by WannaCry. "This figure does not include diagnostic devices which were disconnected to prevent further infection," the report added. "As a result, there were, for example, delays in test processing and communication of diagnostic results."
Although not named in the report, cybersecurity researcher Marcus Hutchins, currently awaiting US trial on unrelated allegations of having a past as a criminal hacker, is credited with finding the “kill switch” that limited the spread of WannaCry.
“The work of a cybersecurity researcher, who activated a ‘kill-switch’ on the evening of Friday 12 May, had the effect of stopping WannaCry infecting further devices. Without this intervention, it is likely that the impact that WannaCry had on services would have been even greater,” the report stated. ®