IT security 'an afterthought' warn experts following NHS cyber attack

Health service 'must take action' to prevent repeat of crippling ransomeware attack

NHS organisations are being warned not to treat IT security as an ‘afterthought’ following last month’s crippling cyber attack.

Nearly four weeks on from the incident, which affected 99 countries including the UK; security experts are calling for widespread action to prevent future incidents.

Security strategies in the healthcare sector need a holistic treatment, with a more-integrated, better-executed, end-to-end approach

During the 12 May attack, at least 47 NHS hospital trusts in England and more than a dozen in Scotland were hit, with the culprits demanding a ransom to restore systems. A number of GP surgeries were also affected.

Described by security experts as ‘the biggest ransomware outbreak in history’, some hospitals were forced to cancel treatment and appointments and many doctors resorted to using pen and paper.

The hardest hit was Barts Health NHS Trust, the largest healthcare organisation in England, which is still taking action to ensure systems are restored and protected.

Shortly after the attack, industry experts said the tendency among NHS organisations to use an array of cyber-defence systems that work in silos leaves them exposed to hackers.

At the time, John Madelin, chief executive of cyber security specialist, Reliance acsn, said: “Security strategies in the healthcare sector need a holistic treatment, with a more-integrated, better-executed, end-to-end approach.

“The healthcare sector can engineer a culture shift that will make it more resilient to cyberattack, allowing it to provide better care and preventing the need to cancel operations.”

It has exposed a big lack of investment in the NHS; in board level engagement in IT issues, in IT leadership, in basic infrastructure, and in staff training

The attacks have been linked to WannaCry malicious software, which infects Windows PCs.

When a computer is infected, the ransomware typically contacts a central server for the information it needs and then begins encrypting files.

It then posts a message asking for payment to decrypt the files and threatens to destroy the information if it doesn’t receive payment.

It spreads through Word documents, PDFs, and other files sent via email, or through computers already vulnerable due to other viruses.

The virus was only halted when a cybersecurity researcher inadvertently activated a kill switch.

Speaking to BBH, Dr Saif Abed, a founding partner of the health IT consultancy, AbedGraham, called for a forensic inquiry into what went wrong so the NHS can deal with the clinical and patient risk issues it exposed.

He explained: “Surveys, including the digital maturity assessment of trusts that NHS England conducted last year, have shown that a majority of trusts are still running computers running Windows XP.

“This is a Microsoft operating system that has not been supported since 2014 - or, for the UK public sector since 2015 - and is no longer ‘patched’ against the sort of known vulnerability that WannaCry exploited.

“It has exposed a big lack of investment in the NHS; in board level engagement in IT issues, in IT leadership, in basic infrastructure, and in staff training.

“We need a forensic investigation into this, in part to avoid inappropriately blaming specific bits of software, or people.

“We have to ask why this software is still out there, why it is unpatched, why hasn’t there been the investment in clinical leadership to make people aware of the dangers, and why weren’t people and processes in place to respond when it happened.

“Also, if we see this as only a technology issue, we run the risk of not seeing the situation for what it really is; a clinical risk and patient safety issue.”

He added: “ It’s too early to say why some trusts and boards were hit when others dodged it, or why some have recovered so much more easily from back-up than others. But the disparities illustrate another, broader problem; NHS organisations have very-different levels of digital maturity, yet funds for NHS IT tend to be announced for specific projects and then delayed or clawed back before anything much is achieved on a wide scale.

If we see this as only a technology issue, we run the risk of not seeing the situation for what it really is; a clinical risk and patient safety issue

“We need to invest consistently in infrastructure and people and processes. That is why we need a forensic inquiry, and one that leads to immediate action, not one that takes two years and then issues a report.

“If we can pinpoint the problems, we can build a co-ordinated relationship between suppliers, the Government, and NHS organisations that addresses the problems in a way that meets clinical need.”

Ransomware attacks are increasing across all sectors, with a rise of almost 17,000% in 2016 compared to the previous year.

Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk, said the problem the NHS faces is that systems were originally designed without security in mind.

“These devices traditionally served one purpose - to be used internally at hospitals or UK medical centres,” he added.

“As with many modern innovations, the healthcare sector continues to apply a traditional approach to device security, treating it as an afterthought.

“But the risks of unsecured medical devices are clear. Privacy becomes an issue, with patient details potentially accessible.

NHS organisations have very-different levels of digital maturity, yet funds for NHS IT tend to be announced for specific projects and then delayed or clawed back before anything much is achieved on a wide scale

“An even-greater risk comes from the implications of vital medical devices, such as cardiac defibrillators or even pacemakers, coming under attack and removed from use.

“The days in which companies assumed closed systems were protected are over.

“Modern attackers often have access to a wide range of technologies and their documentation, allowing them to become highly knowledgeable prior to any serious attack.”

A Sungard infographic pinpoints the key risks within healthcare IT environments

And Sungard Availability Services has published an infographic identifying the key risks that reside within healthcare IT environments.

It states: “Healthcare enterprise rely on three pillars - the quality of patient care, the effectiveness of business resiliency, and an organisation's solid reputation.

“Cracks in healthcare IT foundation can harm the stability of these pillars and ultimately jeopardise an entire healthcare enterprise.

“Our infographic defines the critical components and risks within the healthcare IT environment and the tools designed to repair the cracks that may threaten the health of an organisation's IT environment.”

Solutions, according to the infographics, lie in tools such risk assessment, disaster recovery, and cloud computing.

Addressing the problem relies on a culture shift

Companies