Two years after WannaCry – are you protected?

How healthcare organisations can check they are defended from cyber-attacks.

In May 2017 parts of the NHS were left paralysed due to the WannaCry cyber-attack. The NHS was not the only victim of the global attack and it wasn’t a specific target, however it cost the National Health Service £92million 1 and highlighted weaknesses in its digital defences. This disruption to patient care highlighted how vital cyber security is for health and care organisations and, importantly, how the NHS needed to make security improvements across its service.

Two years on, Phil Barrington, HealthTrust Europe’s Director of ICT Solutions, looks at what management steps health and care providers should be taking to protect themselves from similar attacks.

WannaCry scrambled computers’ files, demanding payment before they could be opened again. It spread to more computers than previous ransomware attacks, hit computers used in hospital trusts, and had a bigger impact than previous attempts. However, cyber-security isn’t just a technology-based issue, it is it is often at the heart of delivery of high-quality patient care and ensuring safety.

There are several reasons why an organisation could become vulnerable to hacking activities as illustrated by the NHS in the wake of WannaCry. A National Audit Office report highlights that before the attack, an assessment of 88 out of 236 trusts by NHS Digital found that none passed its required cyber-security standards. The report said NHS trusts had not acted on critical alerts from NHS Digital. In addition, a warning in 2014 from, what was then the Department of Health and the Cabinet Office, to patch or migrate away from vulnerable older software was not acted upon by many trusts, leaving them vulnerable.

Having a formal mechanism for assessing whether an organisation has complied with cyber security advice is important. At the time of the attack, the Department of Health had no such system in place for assessing whether NHS organisations had done this, and it was found that organisations could have better managed their computers’ firewalls.

Cyber security isn’t just the responsibility of an IT department, it is the responsibility of every single person within an organisation. Staff should be able to identify issues such as potential phishing attacks, malware infections, and know how to report suspicious activity. In addition, staff should be aware of the risks of working remotely and using social media.

Eighteen months after WannaCry The Telegraph reported that a Freedom of Information request revealed around 25% of NHS trusts hadn’t offered staff any kind of specialist cyber security training. The request also discovered that spending on training varied enormously, with trusts investing anywhere between £500 and £33,000.

When it comes to applying cyber security measures it’s not a case of one size fits all organisations. As the case of WannaCry’s effect on the NHS proved, it’s not just an organisation’s technology that can contribute to its vulnerability, but a lack of management of how its technology is used.

Looking to your own organisation, a primary step to ensure you are protected against a cyber-attack is to conduct a cyber security audit. This is a cyber review of an organisation and its IT estate. It identifies the threats, vulnerabilities and risks the organisation faces, and the impact and likelihood of such risks materialising. It will examine issues such as data security, risk management, training and awareness, and business continuity and incident management. And with the introduction of the General Data Protection Regulation (GDPR) in May 2018 organisations now face severe penalties in case of a breach or hack resulting in lost personal data. This means organisations need to take the necessary steps to protect personal data.

HealthTrust Europe (HTE) is a solutions partner for health and care providers; led by its mission, the commitment to the care and improvement of human life, it helps organisations source the best value products and services to deliver patient care. HTE works in partnership with its suppliers who can provide a free initial consultation to discuss how they can help an organisation detect weaknesses which would make them vulnerable to a cyber-attack. HTE offers access to a wide scope of products and services across IT hardware, software, service and support requirements, with an emphasis on driving quality, safety, service and price. Its framework is covered by NHS terms and conditions and is fully OJEU compliant avoiding the expense and non-competitive market pricing associated with single tender contract frameworks. It is also GDPR compliant and all transactional activity is auditable to ensure both compliance and governance requirements are met and exceeded.


1 The Telegraph 11 October 2018