A look at cybersecurity across the NHS after the WannaCry attack
[London, UK] The May 2017 WannaCry attack emphasised once again that the NHS cannot remain complacent when it comes to cybersecurity, and the organisations that were not affected were the ones taking a proactive approach, starting from board level, not overestimating their ‘readiness’ to deal with such incidents.
But with the pace of technological advancements, it is becoming harder and harder for organisations to prepare against the ongoing risk of cyber threats.
NHS Digital has been stepping up its efforts
Towards the end of last year, NHS Digital announced health and care organisations would be able to use a free SMS government alert service to receive updates from CareCERT, which offers cybersecurity guidance and support, and reportedly blocks more than 90 million ‘harmful activities’ every month, according to Hansard records.
The need for a secure solution that would facilitate communication at a national level in case of a cyber attack became a ‘priority’ after WannaCry, said Toby Griffiths, NHS Digital’s Data Security Centre Innovation & Development Lead, after the launch of the system.
"SMS was identified as an appropriate solution following feedback from users affected by WannaCry, as it offers an additional level of resilience beyond the standard channels used for sharing CareCERT updates,” he added at the time.
Other efforts include a £20m tender issued to find a strategic partner that would work with NHS Digital on the delivery and development of a Security Operations Centre, meant to ‘enhance’ CareCERT services and allow standardisation of processes under a single unified Security Operating Model.
In July, the Department of Health announced it would boost investment in data and cybersecurity above the £50m, including a £21m capital fund to help major trauma centres, which they were reportedly set to receive before the end of the year.
However, the National Audit Office urged the NHS and the Department of Health to ‘get their act together’ after concluding their investigation into the WannaCry incident.
Some of the most revealing findings from their report indicated that the malware infiltrated various systems across NHS trusts due to a failure ‘to maintain good cybersecurity practices’.
In November last year, the Department for Culture, Media and Sport published an interim strategy identifying key trends that could have an impact on cybersecurity in the UK during the next few years.
That included the Internet of Things (IoT) and smart cities, data and information, automation, machine learning and AI, human computer interaction, other technologies and the government’s ongoing response.
Connected medical devices, the strategy indicated, present an opportunity to eliminate manual data entry, allowing real-time access to updates that would improve workflows:
“All this will lead to better patient treatment, delivered more affordably, as well as the faster discovery and implementation of effective innovations,” it was added.
Introducing innovative technologies
However, careful consideration needs to be given to ensure that innovation is ethically and safely introduced to address any potential ‘cyber vulnerabilities’ that might disrupt services.
According to the strategy, the Department of Health is working with NHS Digital and with the Medicines and Healthcare Products Regulatory Agency (MHRA) to clarify what steps providers should follow when introducing innovative technologies in the health system.
Infoblox Director Rob Bolton explained at the time that the wide range of IT and medical devices that hospitals use pose ‘diverse security challenges’ to IT teams after a recent survey carried out by the company indicated that nearly one in five healthcare IT professionals interviewed reported that the medical devices in their network run on Windows XP, while seven per cent could not identify the network the devices run on.
Cybersecurity threat looming
The National Audit Office report revealed that a few trusts experienced problems with medical devices during the WannaCry attack, with support from vendors often thought to be ‘poor’.
NHS organisations are therefore urged to consider cybersecurity as a board-level priority while focusing on maintaining good practice to prevent any intrusions.
The first reported hospital malware attack in 2018 saw US-based Hancock Health shut down its entire network last week according to Healthcare IT News, with hackers asking for a payment in bitcoin.
Hospital representatives said in a statement they were able to recover the use of computers, with no information suggesting patient data had been compromised at the time.
While the NHS is set to publish a review into the WannaCry cyber attack later on this year, carried out by Health and Social Care Chief Information Officer for England Will Smart, it is clear that, with the pace of technological advancements, regardless of how prepared officials might think they are, the ongoing threat of cyber intrusions is only going to get bigger.