Five years on from the WannaCry Ransomware attack that hit 60 NHS Trusts, including hospitals, NHS facilities and GP surgeries, are we now doing enough to protect our NHS, its staff and patients from future cybersecurity breaches?
The WannaCry Ransomware attack caused severe disruption to NHS services in 2017, cancellations to appointments and planned surgeries and ambulances even had to be diverted, risking patient safety and paralyzing care in the Trusts affected.
The NHS has come a long way since this momentous attack, but it was a long way behind where it needed to be with the systems it was using at the time. The WannaCry Ransomware attack highlighted new vulnerabilities in the NHS cyber networks in areas that had not been anticipated. Traditionally, threats were associated with patient databases and the hardware holding these, but this time it was the devices being targeted.
One positive to take from the breach, if there is one, is that it did act as a call to action from the Trusts themselves and central government, who have implemented a Data Security and Protection Toolkit (DSPT), an assessment tool for the NHS to measure and understand its security standpoint against the National Data Guardian’s 10 data security standards. As a result, Trusts have been on a mission to source modern technologies and adopt strategies to enhance their cybersecurity posture. However, given the fast pace and ever-evolving cyber threat landscape, NHS Trusts need to continually develop their governance and cybersecurity policies, reaction and response strategies, and staff training, to ensure they can quickly acknowledge and respond to high severity cyber alerts.
In preparation for potential future attacks, firstly, we must ask ourselves, are the growing number of cyber threats something the NHS must be worried about, and where are these potential attacks likely to come from?
Unfortunately, the pandemic opened up new opportunities for cyber-criminals. According to The World Economic Forum (WEF), attacks rose as much as 50.1%, and new global political tensions have increased the risk of future attacks on public services even further.
Since Russia’s invasion of Ukraine earlier this year, the NHS has been on a heightened alert to possible cybersecurity breaches. As recently as last month, threats were received from cyber-criminal gangs, potentially associated with Eastern Europe, to target healthcare IoT devices on NHS networks. The likelihood is that with the growing sophistication of hacker methods, along with the rise in threats and more medical devices being connected to hospital networks, there is the potential for a WannaCry 2.0.
So, what can the NHS do to protect against such threats and what capabilities to protect against threats do they really have?
The truth is the NHS has one of the most complex online networks in the UK, which is only becoming more complicated as Trusts adopt modern technologies and IoT devices to enhance patient care. The biggest challenge for NHS Trusts is establishing what its network looks like, what is connected and what the vulnerabilities of these devices are. Unfortunately, many of the Trusts are still in a position of catch up, especially post-pandemic. Resources and staff numbers are stretched, and although they are working hard to improve, few have the needed visibility into their estate assets. As such, this makes it difficult to respond when a high-severity cyber alert comes out. However, there are specialist security tools available to help mediate these threats.
To give you some context, there are currently an estimated 2.2 million medical and other healthcare IoT devices used throughout NHS departments in diagnostics, monitoring, managing and treating patients. Such devices include ventilators, infusion pumps used to administer drugs, large imaging tools, and radiological treatment systems. In some cases, these devices are connected directly to patients on one side and the hospital’s networks on the other. Therefore, any potential breach could be a real threat to life.
Considering everything, careful consideration is needed when upgrading all IoT devices, and staff need to be trained in the potential risks of using each device, which should be done as part of Trust’s governance and cybersecurity policies. What is more, these specialist security tools, which can specifically monitor and identify attacks on devices and can isolate them in the face of a breach, need to be adopted to work alongside staff.
So, are we doing enough to protect our NHS, its staff, and the patients they care for?
Ultimately, there is still a lot more to do. Adopting modern technologies and software is essential for the NHS to operate more efficiently and cost-effectively and to ensure the care they are giving matches and exceeds the world leading healthcare found in other countries. However, Trusts must ensure they are continually developing cyber defense strategies and ensuring they have the right security technologies for their ever-growing, complex networks. It is also vital staff are trained to identify the risks.