Hard to believe that WannaCry, and the damage this malware wreaked worldwide, was but a year ago. Two months later, there was Petya/NotPetya. We’ve had hacking and ransomware eruptions regularly, the latest being the slo-mo malware devised by the Orangeworm hackers. What WannaCry and Petya/NotPetya had in common, besides cyberdamage, was they were developed by state actors or hackers with state support (North Korea and–suspected–Russia and/or Ukraine).
The NHS managed to evade Petya, which was fortunate as they were still repairing damage from WannaCry, which initially was reported to affect 20 percent of NHS England trusts. The final count was 34 percent of trusts–at least 80 out of 236 hospital trusts in England, as well as 603 primary care practices and affiliates.
Has the NHS learned its lesson, or is it still vulnerable? A National Audit Office report concluded in late October that the Department of Health and the NHS were warned at least a year in advance of the risk. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.” There was no mechanism in place for ensuring migration of Windows XP systems and old software, requested by April 2015, actually happened. Another basic–firewalls facing the internet–weren’t actively managed. Worse, there was no test or rehearsal for a cyberdisruption. “As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.” NHS Digital was especially sluggish in response, receiving first reports around noon but not issuing an alert till 5pm. It was fortunate that WannaCry had a kill switch, and it was found as quickly as it was by a British security specialist with the handle Malware Tech.
Tests run since WannaCry have proven uneven at best. While there has been reported improvement, even head of IT audit and security services at West Midlands Ambulance Service NHS Trust and a penetration tester for NHS trusts, said that they were “still finding some real shockers out there still.” NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) in February that 200 NHS trusts tested against cyber security standards had failed. MPs criticized the NHS and the Department of Health for not implementing 22 recommendations laid out by NHS England’s CIO, Will Smart. Digital Health News
Think ‘cyber-resilience’. It’s not a matter of ‘if’, but ‘when’. Healthcare organizations are never going to fix all the legacy systems that run their world. Medical devices and IoT add-ons will continue to run on outdated or never-updated platforms. Passwords are shared, initial passwords not changed in EHRs. Add to firewalls, prevention measures, emphasizing compliance and best practices, security cyber-resilience–more than a recovery plan, planning to keep operations running with warm backups ready to go, contingency plans, a way to make quick decisions on the main functions that keep the business going. Are healthcare organizations–and the NHS–capable of thinking and acting this way? WannaBet? CSO, Healthcare IT News. Hat tip to Joseph Tomaino of Grassi Healthcare Advisors via LinkedIn.