Opinions

The Wannacry Ransomware Attack: Will History Repeat Itself?

The WannaCry ransomware attack uncovered large gaps in the UK's cyber security infrastructure, but have institutions like the NHS been patched up properly?

Share this article

Share this article

The WannaCry ransomware attack uncovered large gaps in the UK's cyber security infrastructure, but have institutions like the NHS been patched up properly?

Opinions

The Wannacry Ransomware Attack: Will History Repeat Itself?

The WannaCry ransomware attack uncovered large gaps in the UK's cyber security infrastructure, but have institutions like the NHS been patched up properly?

Share this article

On Friday, 12 May 2017, just over a year ago, a global ransomware attack began that would change the way the world looked at cyber security forever. Within 24 hours of the initial infection, WannaCry had affected an unprecedented number of more than 200,000 computers in 150 countries.

As we know, the NHS was crippled by the attack. Thousands of appointments and operations were cancelled and patients had to travel further to receive medical care at accident and emergency centres. This national emergency proved a startling realisation of how vulnerable our infrastructure can be.

Last month, despite promises that lessons had been learnt and impactful changes would be made, an official government report found that out of 200 hospitals and NHS trusts tested for vulnerabilities one year on, not one has passed cyber security assessments.

This report, while quick to diagnose the failings and shortcomings, says little about real, concrete ways in which the NHS can adapt to prevent an attack of this magnitude ever happening again.

Here, we critically examine specific areas of the report to determine how these vulnerabilities can rectified to avoid history repeating itself.

‘Communication during the cyber attack’ 

The Public Accounts Committee (PAC) describes in its findings that, while a plan had been developed for responding to a cyber attack, it took three hours to be initiated and had not been tested with local organisations – a “huge mistake”, according to Peter Godden, VP EMEA at IT resilience provider Zerto.

“Strict testing of your disaster recovery (DR) plan should be done on a continuous basis… in highly regulated industries, such as healthcare, testing should be undertaken as often as monthly. As well as habitually testing the DR plan, it should also be thoroughly documented and understood so that the entire team know what to do if it needs to be engaged.”

However, argues Stephen Moore, chief security strategist at Exabeam, over-complicating an incident response plan can also lead to failure, particularly if they are “based on elaborate hypothetical scenarios and guesswork.”

“In the event of a real breach, not only might the attack be completely different in terms of attack vector and ferocity than those modelled, but in many cases, the sheer scale of the attack can be far greater than anticipated. As a result, the plans are often dropped as the response team goes into full firefight mode.

"Where organisations should be careful is in how elaborate they make those plans. Whilst clear procedural information on what to do is valuable, overly complicated steps can be difficult to follow in the heat of the moment, leading to frustration and abandonment.”

‘Local organisations’ readiness for a future cyber attack’

The report found that before May 2017, NHS Digital needed far more visibility over its entire infrastructure to ensure a level of readiness for a cyber attack.

It became apparent in the aftermath that local organisations had operated in silos with no overarching structure to provide centralised visibility – a problem that Paul Parker, Chief Technology of Federal and National Government at SolarWinds, thinks could be solved through network monitoring.

“This would enable IT leaders to pull together information about the devices being used on the network, including operating systems, current patches and security protocols, as well as any malicious traffic targeting the system – all in one single program.”

“Using a software like this, NHS Digital would have full visibility of its entire network, and could provide recommendations and guidance on security vulnerabilities, as well as taking proactive next steps towards a more secure infrastructure. In an absolute worst-case situation, like we’ve seen previously, they could still perform a damage assessment and quickly identify a root cause."

‘Updating and protecting systems without disrupting patient care’

The issue of patching became a huge problem area brought to light by the attack. Most NHS organisations could have prevented the virus by simply applying the patch issued by Microsoft for Windows 7 – the operating system used by more than 90% of devices in the NHS.

The reason given for this huge oversight, and the continuous problem seemingly as yet to be solved, was that the process of patching could lead to disruption of medical equipment and ‘present a clinical risk to patients’ – this consideration would have been unnecessary had the NHS implemented the latest version of Windows, claims Mat Clothier, CEO, CTO and Founder of Cloudhouse.

“By upgrading to Windows 10, these organisations could avoid this disruption and simultaneously avoid the security vulnerabilities of running older systems. Because they do not receive regular security updates and patches, legacy systems are less likely to prevent a cyber attack.”

"The problem is, upgrading isn’t always that easy. Not only is it time-consuming and sometimes expensive, the thought of having to migrate bespoke applications from the current system to a newer version can lead some to believe that their apps need to be rewritten from scratch.

"To ensure that they can complete their migration smoothly, IT teams in the NHS – and the wider public sector – should use compatibility containers to ‘lift and shift’ their applications to the newer Windows 10, reducing complexity in the process as well as saving time and money.

This would provide a protected system environment for the NHS that would help to prevent another cyber attack of the same scale as WannaCry striking again."

Despite the clear patching problem, the Department of Health could have mitigated with added layers of security, referencing networking segmentation as one example.

Hubert Da Costa, VP and GM EMEA at Cradlepoint would agree: “Deploying air-gapped – or parallel – networks either physically or virtually, can limit the attack surface should one of several security mechanisms fail.” But how does this process work in reality?

“A parallel network takes non-essential or non-secure applications off the secure network.  This can be achieved virtually – by overlaying the network with a software-defined perimeter and/or routing hardware – or physically, by creating a separate network connected via 4G LTE.

“Isolating mission-critical devices makes it easier to monitor, lock down and prevent hackers from crossing over from one application to another.  This would allow the NHS to maintain a higher level of security for its network, and its patients' sensitive data.”

But missing layers of technology are not the only problem here. An inherent technology skills gap within healthcare is claimed to be a contributing factor to the mass aftermath of Wannacry, with three potential roles available for every cyber expert.

This means that naturally the private sector can afford to pay potential employees higher salaries than the NHS, and this is a fact that is causing talent to reside elsewhere.

The revelation that there are only 18-20 suitably skilled cyber security experts working for NHS Digital should come as no surprise according to Steve Wainwright, Managing Director EMEA at Skillsoft, who claims IT education should be made an intrinsic part of employee development through online tools.

“Skilled teams aren’t made by magic, they are created through good recruitment and effective training. Forward-thinking organisations are turning to intelligent eLearning solutions that provide engaging, multi-modal content and tailored learning paths.

"This approach can meet each individual’s learning requirements, and encourages people to fit learning into their working day when and where they can.”

‘Wider lessons for government’ 

The report gives the rather uncomforting conclusion that, had the attack not taken place in the summer or on a Friday, it could have been much worse.

This like stands as little consolation for those affected given the severity of the situation, and the repercussions for businesses affected by cyber attacks in the future looks bleaker still: “With GDPR on the horizon, it’s not going to get any easier,” comments Luke Brown, VP EMEA at WinMagic. “Falling victim to cyber criminals is a simple matter of fact these days.”

It’s not all doom and gloom, however. Under the new data regulation that comes into effect on May 25, businesses that do fall under attack can still save themselves a hefty penalty by implementing tools that make data unreadable. “In the event of a data breach, encryption acts as a last line of defence, making data illegible when in the hands of unauthorised parties,” said Brown.

Ultimately, this latest government report proves that, even one year on from the worse cyber attack the UK public sector has seen, the NHS has a long way to go before remedying the deep-rooted issues that proliferated the spread of WannaCry. This is particularly worrying as we increasingly hear stories about other areas of critical national infrastructure, such as utilities companies, becoming targets.

What is clear across all areas of this extensive report is that investment in tools, technology and talent is vital for impeding the force with which another cyber attack could strike. Experts in technology will welcome the recent news that £150 million is to be spent by the NHS to bolster its defences,.

Jan van Vliet, VP and GM EMEA at Digital Guardian, claims that “the issue of funding is always going to be a hot potato when it comes to the NHS,” but that “two obvious areas to start would be improving user training and awareness.”

It can only be hoped that the negative furore around this incident will mark the start of a new wave of heightened, collective consciousness when it comes to IT resilience in the face of adversity, both in the health service and beyond.

Related Articles
Get news to your inbox

The Wannacry Ransomware Attack: Will History Repeat Itself?

Share this article