Two years after the WannaCry randomware attack, PUBLIC’s senior technologist David WIlliams analyses NHS’s cyber-defence strategy & the lessons to take from government IT, in general.
Avast identified the WannaCry ransomware attack as “one of the broadest and most damaging cyber attacks in history”. It affected more than 230,000 computers worldwide and, while it did not target the NHS or any government systems specifically, its impact on day-to-day healthcare operations in the UK was enormous. A targeted hack, like the one that compromised the healthcare records of 1.5 million patients in Singapore, could totally destroy the public’s trust in the NHS to safeguard its health records.
In a comprehensive review published early 2018, the NHS determined that it had, in fact, made all trusts aware of the Microsoft vulnerability that the ransomware exploited on April 25th via its CareCERT bulletin, only 24 hours after being informed of it. By the time the attack started 3 weeks later, however, none of the 80 trusts which were affected had applied the patch to their Windows 7 systems, and 18% of devices were still running unsupported Windows XP (in spite of two programmes, launched in 2010 and 2014, to help trusts to migrate away from the OS).
“Technology systems in health, like a lot of government, often carry significant legacy and can be deeply embedded on the specific hardware/operating systems they were set up on. “
Today, almost three-quarters of computers in the NHS are still running Windows 7, even with the impending deadline of Jan 2020 for end-of-support. A recent report by Imperial also highlighted that the NHS still has “weaknesses that compromise patient safety and the integrity of health systems”.
So – why has progress in improving the NHS’s cyber-defences been so limited, and what lessons can we learn in general for government IT? There are three areas to consider here: the challenges of legacy on-premise software, the highly complex organisational structure of organisations like the NHS, and the inherent cyber-security challenges of making government systems more open and connected.
Legacy technology hinders security and reliability
Technology systems in health, like a lot of government, often carry significant legacy and can be deeply embedded on the specific hardware/operating systems they were set up on. The LIMS system used in the Leeds Pathology Lab is a great example – it’s been in place for over 35 years and relied on on-premises hardware, on-premises backup, and remote support by the American multinational it was purchased from. When the hard drives backing the system failed in 2016, and it was discovered that the system backups had (for 6 years) been too large for the backup hard drives, it took 3 weeks to restore the system at a cost of £5 million to the trust. At the heart of the issue was that nobody knew how the machine had originally been setup, and the disaster-recovery plan relied on restoring the whole system image, operating system and all.
While not a security related issue, the Leeds case highlights that systems in government, especially very domain-specific systems, are often backed by very fragile infrastructure setups. Updating and patching these systems is nigh-on impossible without risking significant downtime or just replacing the system in its entirety. This helps to explain why the migration away from Windows XP has taken so long and why, according to the NHS, a timeline for switching all systems over is hard to confirm.
Accountability for IT is highly diffused
People often think of the NHS as a single entity, when in reality it is comprised of tens of thousands of organisations, many of which maintain their own IT infrastructure, or share common systems. Which organisation, IT department, or outsourcer in particular is responsible for each system, is often highly unclear.
In attempts to combat this, the NHS has been clarifying roles and responsibilities, and centralising cyber-security standard setting under its new digital transformation unit, NHSX. The DSP toolkit has also been introduced as a self-assessment checklist to help health organisations identify their cyber-security risks.
Another critical aspect to this issue is to ensure that responsibility for security and good information governance is appropriately shared with suppliers when procuring services and systems. CCGs now have to ensure that software and IT services they procure is fully compliant with the DSP toolkit.
The drive for highly-connected systems can increase security risks
Traditionally, the NHS has relied on ‘walled garden’ private networks, like N3 and HSCN to secure its systems, or to have systems that are only available on the local network of hospitals or GP practices. As we move towards a more connected and open approach to healthcare IT, though, these kinds of networks can be more a blessing than a curse.
Unlike some ransomware campaigns, Wannacry did not spread by spam email, but by scanning for unpatched windows devices which had certain ports exposed on the network. As the NHS identified in its Wannacry review, better firewalling in the N3 network would have been enough to prevent the spread of the ransomware, even with most Windows systems in the network not having been patched. Indeed, having a closed network of just healthcare devices in which it could spread greatly increased the damage the ransomware could do.
Matt Hancock’s drive towards an ‘internet-first’ NHS, while aiming for more open data and APIs may, in fact, result in a more secure and robust setup. When systems are designed under the assumption that they will be visible on the public internet, no shortcuts can be taken on security or resilience to attack. It also promotes the use of properly authenticated and authorised APIs, rather than having ‘back doors’ between systems on a local network which are hard to maintain and secure. On the resilience side, there is the added bonus of moving away from specially procured on-premises hardware to a cloud model, where systems and data can be much more easily restored or scaled.