Should the NHS have done more to protect itself against ransomware? UPDATED
The global ransomware outbreak of the 'WanaCrypt0r' malware recently took down swathes of NHS trusts in the UK - should the organisation have done more to protect itself?
UPDATE: NHS Digital has confirmed to Computing that it issued the appropriate security patch to NHS staff in April. Full comment at the end of the article.
Original story begins below:
The global ransomware outbreak of the ‘WanaCrypt0r' malware recently took down swathes of NHS trusts in the UK, and also many other organisations globally, including Telefonica, Nissan and Hitachi.
But the highest profile, and most widely affected organisation appears to be the NHS. Could it, and should it have done more to protect itself?
The attack is perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010.
This vulnerability was discovered earlier this year and has been exploited by the NSA, according to a trove of documents dumped by the hacking group Shadow Brokers. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online.
So what can organisations do to protect themselves?
The simplest answer is that they can use modern, up to date operating systems. Not Microsoft XP, in other words, still in use in some areas of many NHS trusts for instance. Microsoft ceased support for XP in April 2014, and whilst the NHS paid the firm £5.5 for a year's extended support, even that has long expired by now.
In December 2016, 90 per cent of NHS trusts were still using XP, with most still not sure of when they'd be upgrading.
So that's over two and half years after Microsoft ceased support, and seven years after the firm first announced when support would end. You'd have thought that would be enough time to organise an alternative.
However, even using newer operating systems is insufficient, if those systems are left unpatched for long periods. Given that the vulnerability exploited by the WanaCrypt0r ransomware doesn't exist on machines which are fully patched and up to date, we can assume that organisations which suffered severe infections have less than ideal patching processes.
This fact appears to be confirmed, with NHS Digital stating that it sent NHS England the details of a security patch which would have helped the situation back in April. The patch wasn't widely installed.
That's the most basic and obvious form of protection, and there are many more, as any security expert will tell you. Here are some tips sent to Computing by security firm Kaspersky recently:
- Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
- Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
- Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
- Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.
[Turn to page 2]
Should the NHS have done more to protect itself against ransomware? UPDATED
The global ransomware outbreak of the 'WanaCrypt0r' malware recently took down swathes of NHS trusts in the UK - should the organisation have done more to protect itself?
It's fairly safe to assume that many of these processes and tools are not in place across the wider NHS. A glance at some recent stories reveal the sorry truth. The NHS does hasn't taken security seriously.
An FoI request from January this year revealed that a third of NHS trusts had suffered ransomware attacks, with one having been attacks 19 times in the previous year.
That same month, Barts NHS trust admitted it had been affected by ransomware.
And at the end of January, we learnt that half of NHS trusts only scan applications for vulnerabilities once a year, if that.
Back in October 2016, the NHS was once again the target of a swathe of ransomware attacks. Perhaps this could and should have been seen as a warning of things to come.
And those are just the biggest and most obvious stories from the last six months.
Some have criticised what they see as the security industry's failure to properly engage with bodies such as the NHS, or to attempt to sell it the most simple and effective tools, rather than mega-suites of the shiniest, and of course most expensive, solutions.
Let's take a look at what the security industry thinks of the attacks.
Rory Duncan, practice manager for security at Dimension Data praised the organisation's incident response, if not its patching.
"The cyber criminals who carried out this global attack - which as we now know, targeted organisations indiscriminately, rather than having taken aim at the NHS specifically - are clearly the culprits here. However, it confirms what we have known for some time: neglected patching poses a huge security risk for organisations. The capability to identify vulnerabilities in order for patches to be deployed in the most efficient manner is also essential.
"The magnitude of this attack should serve as the ultimate wake-up call to all public and private sector firms. The NHS is clearly facing legacy resourcing challenges, yet its post incident response efforts and ability to restore services are to be applauded. What is now needed is a more robust approach to preventative security measures, ensuring that any gaps in security defences are identified and filled before they are exploited by increasingly resourceful cyber criminals."
James Chappell, CTO and co-founder at Digital Shadows felt some sympathy at the extent of the patching needs, but was more scathing about the NHS' continued use of Windows XP.
"The NHS is complex organisation and in big networks like theirs it requires a great deal of effort to keep up with the application of security patches. This is particularly true when some of that software is supporting specialist certified medical equipment.
"That said, there is evidence to suggest some NHS trusts were running Windows XP which is no longer supported by Microsoft, leaving them especially vulnerable to not only this attack but many others. This may well be a result of the lack of resources where trusts may not have followed central government advice to upgrade. Given this situation it is surprising that the problem is not larger in scale than it is being reported at present."
[Turn to page 3]
Should the NHS have done more to protect itself against ransomware? UPDATED
The global ransomware outbreak of the 'WanaCrypt0r' malware recently took down swathes of NHS trusts in the UK - should the organisation have done more to protect itself?
Jamie Akhtar, managing director of CyberSmart answered the question 'should the NHS have done more to protect itself,' rather emphatically.
"Yes they should have! Either taken collectively as the NHS or as individual organisations, they were simply negligent.
"The NHS failed on what we call basic cyber hygiene, the real world equivalent of these basic measures is leaving your front door open or bike unchained. It's simply a matter of time until someone takes advantage of this. No one in the cyber security community is surprised by this. The vast majority of attacks (this one included) are not sophisticated or targeted, they don't need to be, since there are so many easy targets that lack simple security measures.
"There are obviously larger forces at play with political and budgetary factors but at a minimum, every organisation should be implementing something like the UK Government's Cyber Essentials scheme," Akhtar said.
Jonathan Care, research director at Gartner was more understanding, stating that some legacy and bespoke systems run on XP, and aren't necessarily patchable or upgradeable.
"Windows XP, a system which has been hit hard by WannaCry, can be embedded into key systems as part of the control package and the firmware may not be accessible, nor under your control. Where you have embedded systems (for example POS terminals, medical imaging equipment, telecommunications, and even industrial output systems such as smart card personalisation and document production) make sure that your vendor is able to provide an upgrade path as a critical priority."
So that's the industry view. Understandably many vendors would like to sell their services to the NHS, and are thus relucant to slam it, however the central theme, that the organisation has paid insufficient attention to its security needs, remains.
Yes the NHS is famously underfunded, and provides frankly magnificent value for what we spend on it as a nation. The £350 million per week promised as part of the leave campaign appears unlikely ever to materialise, and some at the NHS may argue that they're in the business of savings lives, and that's where the bulk of their funding goes.
However, with many operations cancelled, and some A&E departments all but shut down as a result of the cyber attack, this business of savings lives and safeguarding public health has been threatened by the NHS' poor security hygiene.
It's not good enough today to cry poverty in the face of security best practise. Good security practise doesn't have to cost a fortune, it just has to be taken seriously. And unfortunately, if the WanaCrypt0r episode teaches us anything, it's that the NHS sees IT security as an irritant and at best, an afterthought.
This spate of attacks has been widely described as a wake up call. Hopefully it will be exactly that.
NHS Digital confirmed to Computing that it had provided a security update to NHS staff.
A spokesperson said: "NHS Digital issued a targeted update on a secure portal accessible to NHS staff on April 25, and then via a bulletin to more than 10,000 security and IT professionals on April 27 to alert them to this specific issue.
"These alerts included a patch to protect their systems. This guidance was also reissued on Friday following emergence of this issue."
NHS England, when contacted, declined to comment.