In May, a full year would pass since the destructive WannaCry ransomware attack took place, resulting in the cancellation of almost 20,000 hospital appointments and operations, the paralysing of five accident and emergency departments, and affecting more than a third of all NHS trusts.
Even though the WannaCry attack was a wake-up call for the NHS which suffered the most from it, a recent report by the Public Accounts Committee has warned that NHS trusts are yet to implement measures to improve cyber-security and are vulnerable to similar attacks in the future.
“The Department of Health and Social Care still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security. Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber-security for when, and not if, there is another attack,” the report read.
“A cyber-attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of government could also learn important lessons from WannaCry.”
It added that even though the DHS, NHS England, and NHS Improvement published a Lessons Learned review with 22 recommendations for strengthening the NHS’s cyber security in February this year, they are yet to agree on implementation plans and have no idea on how much it will cost to implement the recommendations.
The new report is as much, if not more, critical about the NHS’ response to the WannaCry ransomware attack as a report released by the National Audit Office last year which summarised the results of an investigation into the WannaCry ransomware attack and its implications on NHS England.
The NAO had then revealed that the ransomware attack has impacted 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. It said that even though the Cabinet Office and the Department had asked all NHS trusts in 2014 to migrate away from old software, especially Windows XP, by April 2015, NHS England had identified a further 92 organisations, including 21 trusts, between May and September last year that were hit by the ransomware attack.
“Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the fire accident and emergency departments that were unable to treat some patients,” it observed.
According to the Public Accounts Committee’s new report, the Department, as well as national bodies, should ensure that there is a communications protocol that will ensure that NHS trusts and hospitals will be able to communicate with each other during a cyber-attack. The setting up of alternate communication channels will also help immensely in case such trusts or hospitals go offline.
It added that neither the Department nor NHS England have complete information on trusts’ IT and digital assets such as anti-virus software and IP addresses which would help them to target their support during a cyber-attack. To overcome these issues, the committee announced a set of recommendations as follows:
a) Updating all local IT systems whilst minimising disruption to services.
b) Ensuring that all IT suppliers and suppliers of medical equipment are accredited and that their contracts must include terms to maintain and protect NHS devices and systems from cyber-attack.
NHS struggling with cyber skills shortage
However, the committee also noted that it would take a long time for the NHS to overcome the skills gap in cyber security due to a massive shortage in the available workforce with sufficient experience in the field.
“NHS organisations, including local organisations, struggle to recruit and retain skilled cyber security staff, as there is a national shortage of this type of expertise and they are competing in a market where there are three jobs for every expert, and private sector organisations can pay more for cyber security experts than the NHS can.
“NHS Digital itself told us that it has only 18 to 20 “deeply technically skilled people”, though it is doing work to develop a future workforce by developing graduate schemes alongside universities.
“NHS Digital told us that one way it was seeking to address this challenge was by working with the National Cyber Security Centre and Crown Commercial Service to engage trusted suppliers from outside the NHS who can support the NHS during a cyber-attack,” it added.
“The report clearly highlights how the NHS relies on email for service delivery and critical communications in an emergency. WannaCry revealed the disruptive power ransomware can have on the sector, but that interference was just the tip of the iceberg,” says Dan Sloshberg, Director Product Marketing at Mimecast.
“The scale of impact could have been much higher. The vast majority of ransomware is spread by email and, like many organisations, healthcare providers have underinvested in securing this critical and vulnerable system.
“The only way to stay ahead of the cybercriminals is for the NHS to embrace cyber resilience, which involves providing comprehensive security controls before, continuity during, and automated recovery after an attack. These components will help organisations quickly get back on their feet if an attack does get through,” he adds.