Last may, several NHS hospitals were hit by the global WannaCry ransomware attack. What was unusual about the U.K. case was with the number of health authorities hit and the ease in which the virus stuck hospital computer systems. NHS England identified 6,912 appointments that were cancelled due to the disruption that the network worm caused. The incident was covered on Digital Journal (see, for example, “Cyberattacks: What businesses can do.“)
In summary, hospitals and medical facilities were greeted with an onscreen “ransom note”, demanding payment of $300 in Bitcoins for the return of their data to its original state. Bitcoins were requested because they are hard to track, using an anonymous blockchain ledger. Behind the attack was a hacker group called “The Shadow Brokers”.
While such attacks are pernicious, the the threat is ever present and businesses and key services like the NHS should take measures to ensure operational continuity. This includes ensuring that systems are up-to-date.
A report issued by the U.K. National Audit Office and NHS Digital found that of 88 hospital trusts surveyed (of a total of 236), none had a sufficient level of security in place. Concerning, the report indicates that no NHS trusts acted on critical alerts issued from NHS Digital to patch or migrate away from vulnerable older software.
According to PharmaPhorum, no formal Department of Health (the government health ministry that oversees the health service) process was in place to assess whether NHS organisations had heeded the advice.
Commenting on the findings, former chairman of NHS Digital, Kingsley Manning told the BBC: “The problem with cyber security for the NHS is [that] it has a particular vulnerability… It’s very interconnected so if you get an attack in one place it tends to spread.” He also added that Wannacry was “an extremely unsophisticated attack” and had time and resources been put in place to update computer systems, the attack could have been avoided.
