The well reported cyber attack in May saw a number of NHS Trusts attacked by the WannaCry ransomware. It is now important to take a critical eye over the events and review how well the NHS trusts dealt with this now ever present threat and also to look forward and see what else can be done in the future.
How well did we react?
As we look at how the 47 trusts who were affected dealt with the attack itself there are three key areas that bear focusing on;
This was not a targeted attack on the NHS solely and nor was it only NHS trusts whose IT was breached.director of development and operations
Firstly we can see by the breadth of organisations and countries effected that this was not a targeted attack on the NHS solely and nor was it only NHS trusts whose IT was breached. The list of major corporations, including FedEx, Renault, Telefonica, China National Petroleum Corp, the Indian State Police and Deutsche Bahn was extensive in its nature and contained organisations that spend considerably more time and resource on their technology and IT security than NHS trusts.
This shows a global issue in defending against these cyber attacks whilst highlighting the difficulties of doing so with such a developing and sometimes sophisticated method of attack. Merely blaming this on NHS managers, as some had, is clearly way off and demonstrates a lack of understanding of the root problem.
Clearly it was also evident that the NHS is always ready for a major crisis. Business continuity and disaster recovery plans kicked in where appropriate, to the level they were required to do so across the country as the extent of the attack became clear. This varied from closing down potentially comprised systems in some trusts to full on Silver command in others. What was immensely clear is that the NHS is actually well placed to deal with issues of this size, in part due to the fact that any numbers of major incidents are around the corner for any given trust.
Lastly we can also see that the old saying that the NHS’s crown jewel is its people has never been truer. Despite the pantheon of issues around large parts of the NHS workforce the staff involved went above and beyond to ensure that patient safety and patient care were never compromised. An attack of this kind showed just how the different parts of the NHS work well together as clinical and support staff worked to minimise the impact to patients and restore IT systems. Amongst all the headlines showing a stretched and pressured service, this was a timely reminder of the million plus people that keep our NHS running.
Despite the pantheon of issues around large parts of the NHS workforce the staff involved went above and beyond to ensure that patient safety and patient care were never compromised.director of development and operations
Any major incident, whatever the cause, requires a cold hard look at where we can improve in the future. In this instance the first learning is in essence the fact that there will inevitably be a future incident to manage. Cyber crime is not new, but it is developing at an alarming rate and is therefore an extraordinarily difficult risk to mitigate. We can continue to ensure we do all we can to stop cyber attacks, through security measures and staff awareness, but we will not eradicate it. Understanding this places as much emphasise on a trust’s business continuity plan as it does on their approach to preventing cyber crime. Clearly these plans are already in place but now they have been used it is a time to evaluate and understand areas they can improve in the future to be ready for when the next attack gets through.
We do all we can to stop cyber attacks, through security and staff awareness, but we will not eradicate it.Director of Development and Operationstweet this
There is a heavy reliance on email
There is also clearly some learning around communication, both internally in the NHS and with the wider public. Internally, there is a heavy reliance on email as the main tool of communication. In reality this is also the case across the corporate landscape, although those in the technology sector have been sounding the death knoll for email for some ten years, it is still the predominant and most widely used tool in organisations. There needs to be significant thought given to what future communications channels are used within trusts, through whole health and care areas and nationally to ensure communication is still possible during any future attacks. For some trusts and organisations email was down for a considerable length of time so alternative communications channels are key in the future.
There is also some improvement possible in how the NHS communicates with the wider public. On a trust level plans are always in place to communicate with patients and their local population but there needs to be more thought given to how the bigger picture around these incidents is communicated.
Lastly this major attack has shone a light on capital investment, or more accurately on how constrained this has been in recent years and the link this has to technology. The financial constraints of our NHS have been and continue to be well documented but this pressing issue has not always been linked to the knock on impact of ageing IT infrastructures. What is also not well understood is this is not as simple as upgrading all those trusts still running Windows XP. Taking aside that the most impacted operating system by WannaCry was Windows 7 not XP and that upgrading Windows XP is potentially far from simple this underinvestment in technology is much wider and more complicated. To even do the work required to understand the cost of investment needed is a significant task for most trusts. Without any indication there will be the capital to make the required upgrades and changes in itself is potentially stifling trusts. We need to understand the impact of not investing is so great there really is no option.
This major attack shone a light on capital investment, or more accurately on how constrained this has been in recent years and the link this has to technology.director of operations and development
The WannaCry ransomware attacked showed how prepared the NHS is for major incidents and was a timely reminder of just how good the team of over a million people are at coping with these extreme pressures. But like anything that goes wrong it gives us opportunities to understand where we can improve and particularly shone a light on the chronic underinvestment in basic technology. Our future NHS really does need a significant capital investment, of both time and money, to ensure we can deal with the ever present threat of cyber crime in the future.
This article was first published by Governance + Compliance on 27 June 2017
Read a blog by Ben Clacy on the cyber attack first published by Public Finance on 26 May 2017