Since WannaCry, the NHS has only been hit by six successful ransomware attacks - compared with 203 in the three years prior to that
During the WannaCry ransomware attack in May 2017, more than 300,000 computers worldwide were estimated to have been infected by hackers. Keiron Holyome, McAfee’s director for the UK public sector, discusses the impact and the lessons learned within the NHS.
The WannaCry ransomware attack that impacted the NHS so profoundly in 2017 was a watershed moment for healthcare cyber security in this country and further afield.
This was now a problem that impacted patient care directly, costing the organisation £92m ($116.4m) and leading to 19,000 cancelled appointments.
However, although the aftermath of WannaCry presented a target on the NHS’ back for would-be cyber-attackers, a sustained effort from dedicated IT staff has improved its security posture markedly in many respects.
In fact, they have been hit by only six successful ransomware attacks since 2017, in comparison to 203 in the three years prior to that.
NHS since the WannaCry attack
Nonetheless, cyber security is a constantly shifting landscape, and more work needs to be done to evolve as quickly as the threats and the criminals behind them do.
Recent research has found that two-thirds of healthcare organisations suffered a security incident in 2019, so, clearly, the threat is real and hackers see the vast source of rich data the NHS has as a key target.
Keeping this data secure is an extremely tough job and the limited impact on it so far is testament to the hard work of the teams working within the organisation.
As the scale and variety of attacks grow, there needs to be more awareness of the impact a successful attack or breach could have on the NHS and its individual components and trusts.
This culture of informed risk management needs to start with the board and propagate through the organisation, with education and investment in critical areas that provide visibility and control.
IoT and the cloud
Outside of ransomware, the proliferation of IoT (internet of things) and cloud services are an addition to the threat landscape that the NHS still needs to get a handle on.
Cloud adoption is relatively low in the NHS compared to other sectors, and when organisations start to make the move in anger, then understanding of the shared responsibility model, and their role within it, will be critical in mitigating the risks.
Cloud security requires a layered defence, and from service providers to individual organisations and end-users, everyone is accountable in some way.
A good way to illustrate this is to think about a family renting a car.
The manufacturer is responsible for the build quality and the airbags working, the rental company takes ownership of servicing and keeping the car roadworthy, while the driver is ultimately responsible for driving the car safely and carefully.
Everyone has a shared responsibility and a part to play.
IoT devices and as-a-service platforms also add to the overall threat landscape and increase the attack surface area for many customers, not just the NHS.
There needs to be an understanding of how these devices and services operate, ensuring that the appropriate assurance, visibility and governance controls are in place.
However, it is important to state that the NHS faces a lot of mitigating factors that limit security change, and the organisation is full of incredible people doing what they can with the little they have.
The number one problem is ultimately investment and resources.
With budgets naturally being focused on frontline patient outcomes, it is often a challenge for security professionals in the NHS to secure the resources they need to keep their security posture maturing.
With new threats emerging constantly, the funding is not at the level needed to keep pace.
Is a cultural shift required?
The sheer complexity of the NHS family is also a barrier to change.
NHS Digital and NHSX are working hard to try and centralise the core capabilities, but more work can always be done in this area.
What is needed is investment that enables the NHS to address the lack of awareness and skills, whilst deploying the best technology available that helps close some of the resourcing issues.
Public sector organisations are feeling the industry-wide cyber security skills gap most acutely, and implementation of machine learning and AI technologies will allow human talent to be in a position where it is most useful and solve high-level problems that ultimately benefit patient health.
Cyber security within the NHS has made fantastic progress over the past few years and this trend looks set to continue.
However, due to the size and nature of the organisation and the data it holds, our health service will continue to be a priority target for cyber-attackers.
As such, the NHS and the ecosystem of third parties protecting it must work closely to foster a strong security culture with the finite investment and resources and its disposal.
However, security maturity takes time, only coming through informed education, whereby security best practice is baked into the daily operations of the whole organisation, not just IT.
Technology and culture need to work in tandem to keep the NHS secure and enable it to harness the next generation of digital healthcare technologies.