While affecting computers across the world – from Russia to the US – NHS hospitals were forced to cancel routine surgery and GP appointments as systems were affected by the cyberattack or were proactively shut down in an attempt to avoid the infection. Some hospitals diverted patients away from their accident and emergency departments, while large amounts of electronic patient data were unavailable.
As the inquest opened on why the NHS was so easily hacked, the initial focus fell on outdated computer systems and unsupported software – notably Windows XP – that is still in widespread use in the NHS, and whether software patches issued by Microsoft to offer protection to current Windows software had been installed.
In England, 47 NHS trusts reported problems at hospitals and 13 in Scotland while services in Wales and Northern Ireland were seemingly unaffected. England’s biggest NHS trust, Barts Health NHS Trust which runs five hospitals in London, was forced to reduce surgery and cancel outpatient appointments.
Whilst it emerged that Microsoft identified a risk in March and sent out patches, some trusts may have delayed installing them. Various criticisms about the quality of IT security in the NHS have been made in recent years with a number of high-level warnings.
Outdated hard- and software becomes gateway for hackers
The Care Quality Commission and National Data Guardian, Dame Fiona Caldicott, wrote to health secretary Jeremy Hunt last summer warning that an “external cyber threat is becoming a bigger consideration” within the NHS. The NHS continues to face financial constraints amid suggestions that funding had been diverted away from cyber security but the government has rejected this, saying the NHS had upgraded its security before the incident, with £50m made available to further improve security.
The WannaCry ransomware behind the latest cyberattack locks many types of users’ files and demands a $300 (£230/270 euros) payment to allow access. Although the indications are that the main repositories of patient data were not directly affected, access to ancillary was locked, effectively choking the daily operating patterns of the NHS.
Meanwhile, Chris Hopson, chief executive of NHS Providers, said many hospitals use sophisticated technology such as MRI and CT scanners which are “bound to be using old software” because they have a 10-year life expectancy, and consequently often use older operating Systems.
NHS IT analyst and cyber security commentator Dr John Lockley remains concerned that the NHS has not had a consistent and country-wide approach to cybersecurity for a number of years and so continues to leave itself vulnerable to attack. Since the demise of NHS National Programme for IT there is no longer a centralised approach to updates, with each trust independently responsible for its actions.
However, the recently-developed by NHS Care Computer Emergency Response Team (CareCERT) offers advice and guidance to support health and social care organisations in responding effectively to cybersecurity threats. Dr Lockley remains concerned that the risk of cyberattack within the NHS remains high, for a number of reasons.
Firstly, he says the NHS has had an extremely slow, uncoordinated response to migrating away from XP to the more secure and patchable later versions of Windows. And secondly, despite Microsoft making critical patches for these later programs in March, many trusts have not installed them, adding that there is as yet no robust national mechanism for policing the installation of upgrades.
While acknowledging that certain types of medical equipment and programs still need XP because they would not be compatible with later systems, he adds: “Unless you disconnect all vulnerable computers from the outside world – physically or with special software techniques – they will always remain a risk to the safety of systems and networks. “If you have a weak point, you either have to protect fully against the possibility of anybody getting in, or not use those computers.”
The key to adequately protecting the NHS against further cyberattack, he concluded, is instigate a robust, fully-funded and policed nationwide programme to replace XP and other legacy software across the entire NHS.
In addition, key steps are to methodically and routinely apply patches and upgrades; use antivirus software and keep it updated; back up data files regularly and frequently; and teach staff to check that veracity of attachments and links in emails they received, as this is often the route through which ransomware first infects an organisation’s computers.
AXREM - the trade association representing the suppliers of diagnostic medical imaging, radiotherapy, healthcare IT and care equipment in the UK – warned that while patches were available for medical imaging systems, it stressed that robust network defences were critical in preventing future attacks.
While suppliers have been focusing on restoring operation of systems compromised by the Ransomware attack, and protecting systems from further risk, AXREM pointed out that as medical imaging systems are classified as medical devices and subject to strict regulation, suppliers are obliged to rigorously test software updates and patches to ensure that functionality and safety is not compromised.
The organisation warned that “for this reason, the reliance upon provision of clinical product software patches for defending against malware attacks does not provide a sustainable option,” and stressed that “therefore robust network defences are strongly recommended to prevent against future attacks.”
Dr John Lockley is an NHS IT analyst and commentator on cybersecurity, a former GP and a committee member of the SystmOne National User Group (SNUG).