Public Accounts Committee reveals health service is unprepared for future cyber attacks following crippling 2017 WannaCry ransomeware demand
Despite the crippling WannaCry cyber attack in May last year, the NHS has failed to take action to protect itself from hackers, MPs warned this week.
The Public Accounts Committee (PAC) accused the Government and health service of an ‘alarming’ failure to enhance cyber security and warned that future attacks could be ‘more sophisticated and malicious’.
The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS
The comments come a year after NHS services were affected by the WannaCry attack, which led to the cancellation of tens of thousands of appointments and procedures.
Meg Hillier, chairman to the committee said: “This case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more-malicious and sophisticated attack. When it comes, the UK must be ready.”
Earlier this week British and US authorities warned that Russia is preparing to mount cyber attacks on the UK’s ‘critical infrastructure’.
In a joint statement, GCHQ and the FBI said Russia has been probing cyber defences to identify vulnerabilities that will ‘lay a foundation for future offensive operations’.
Following the stark warning, Prime Minister, Theresa May, announces investment of up to £15m to help Commonwealth countries strengthen their cyber security capabilities.
And the NHS was told it has taken ‘insufficient’ action to date and would need to step up its efforts in order to prevent future attacks.
It was ‘lucky’ to escape worse consequences than it did, they added.
“If the attack had not happened on a Friday afternoon in the summer, and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse,” said the PAC.
If the attack had not happened on a Friday afternoon in the summer, and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse
The report said that NHS bodies had been repeatedly warned to migrate away from old software systems – as long ago as in 2014 – yet had failed to take action.
“The Department of Health and Social Care and its arms-length bodies were unprepared for the relatively-unsophisticated WannaCry attack. They had not shared and tested plans for responding to a cyber attack, nor had any trust passed a cyber security inspection,” MPs said.
“As the attack unfolded, people across the NHS did not know how best to communicate with the Department or other NHS organisations and had to resort to using improvised and haphazard ways to communicate.”
And MPs said that in the months since, insufficient action had been taken to boost security.
Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.
“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”
The report urges Government to ‘get a grip’ on the vulnerabilities facing services and provide guidance on how to update IT systems while minimising disruption to services.
Responding to the comments, a Department of Health and Social Care spokesman said: “Every part of the NHS must be clear that it has learned the lessons of Wannacry.
“The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care.
“We have supported that work by investing over £60m to address key cyber security weaknesses and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”
Cyber security companies are also urging the NHS to work with industry to ensure they have the expertise to ensure systems are protected.
Gareth Thomas, managing director of Wilmington Healthcare, said: “Our recent survey of more than 500 primary and secondary care doctors across the UK found that 20% of respondents believe the NHS is at a ‘very high risk’ of a repeat of the May 2017 cyber attack and 40% think it is at ‘high risk’.
Not only is the healthcare industry at risk of becoming a big bullseye for cyber criminals; but on a more fundamental level, poor data practices can put the public's sensitive information at risk day-to-day of misuse, employee errors, and accidental leaks
“While the NHS claims to have spent millions trying to fight cyber crime, it is clear many doctors have serious concerns about the risk of a repeat attack.
“The report from the Public Accounts Committee criticising the lack of action to date shows their concerns are well founded.”
“To prevent a repeat, 70% of respondents said there should be more investment in NHS IT systems; while 65% said there should be improvements in NHS IT maintenance. 37% of respondents think there should be more virus protection software in place and 32% want to see more IT experts working within the NHS.”
Ross Rustici, senior director of intelligence services at Cybereason, added: “Cyber security is not a bolt-on after the fact, or a wound to be triaged; but rather it should be foundational.
“If the NHS or any other government entity viewed cyber security as fundamental to their operations, as the ability to assure the physical safety of the public or patients in NHS's case, then the NHS would never have suffered from WannaCry to begin with because it would have used the ample time it had to adequately patch its network.
“The failures of the NHS to implement the cyber security recommendations are not a new struggle, nor are they limited to the NHS.
“Government entities at the national and local level have a complex set of challenges often under conditions of shrinking budgets.
“An increased spend on cyber security often necessitates a reduction of spending in an area that is seen as providing primary services.
“Despite this stark reality, it demonstrates a failure in institutions to keep up with the current reality they face, and this security spending gap will never be addressed until cyber security is viewed as a fundamental necessity when new buildings, institutions, and services are being rolled out.
“It is far easier and cheaper to keep a network healthy than it is to recover and strengthen a network after it has been severely compromised.
The only way to stay ahead of the cyber criminals is for the NHS to embrace cyber resilience, which involves providing comprehensive security controls before, continuity during, and automated recovery after an attack
“The UK is now in the position of either having to allocate a lot of new funding to get NHS back to a steady state of healthy or accept the inherent risk of having a weakened security posture in an increasingly-hostile environment.”
The complex healthcare supply chain means the NHS is particularly at risk, and will have a harder job ensuring systems are protected, according to Dan Sloshberg, director of product marketing at Mimecast.
He said: “Resorting to personal email systems or other unsanctioned communication tools is not a viable option, especially considering the stricter data protection controls required under GDPR.
“Email is key for the NHS because of the diverse number of partners they need to communicate with. This accessibility, however, makes email an easy point of entry for cyber criminals looking to extort money and cause disruption.
“As patient care increasingly relies on access to connected cloud services and intelligent infrastructure, the opportunity grows for advanced attacks such as impersonation emails and ransomware.
“The only way to stay ahead of the cyber criminals is for the NHS to embrace cyber resilience, which involves providing comprehensive security controls before, continuity during, and automated recovery after an attack.
“These components will help organisations quickly get back on their feet if an attack does get through.”
And Rob Bolton, director and general manager of Western Europe at Infoblox, told BBH: “As WannaCry demonstrated, vulnerable operating systems and software, in addition to rogue devices on the network, pose a significant threat to hospital services.
It is far easier and cheaper to keep a network healthy than it is to recover and strengthen a network after it has been severely compromised
“While there is a significant challenge and cost that must be managed with regards to such a project; the PAC is right to highlight the turbulent cyber threat landscape and encourage NHS organisations to secure its IT environment against similar attacks in the future.
“Ultimately, the controlled chaos of managing the shift to a new operating system is better than the potentially-devastating consequences of unplanned disruption to services.
Tony Pepper, chief executive of Egress, added: “WannaCry was not the most-sophisticated attack - it was just the first at that level - and, given today's statements, I'd bet that cyber criminals are working on developing new malicious tactics to outpace safeguards.
“The NHS cannot afford to drag its feet. Not only is the healthcare industry at risk of becoming a big bullseye for cyber criminals; but on a more fundamental level, poor data practices can put the public's sensitive information at risk day-to-day of misuse, employee errors, and accidental leaks."