The National Health Service in England should have been able to block the "unsophisticated" WannaCry ransomware outbreak that hit the world in May, government auditors say. But the failure of so many NHS trusts and organizations to block WannaCry means that unless substantial cybersecurity improvements get made, the NHS will remain easy pickings for online attackers (see British Security Services Tie North Korea to WannaCry).
On Friday, the National Audit Office, an independent Parliamentary body that audits central government departments and agencies and some public bodies, released the results of its NHS England probe in a report: Investigation: WannaCry Cyberattack and the NHS.
Information security experts say the report contains important lessons for organizations worldwide.
"Senior execs should put this on their reading list now. Learn from the mistakes of others. Don't repeat history," says Alan Woodward, a computer science professor at the University of Surrey, via Twitter.
"The WannaCry cyberattack had potentially serious implications for the NHS and its ability to provide care to patients," Amyas Morse, who heads the NAO, says in a Friday statement. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practices. There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
The NAO report focuses on the Department of Health - the U.K. government department responsible for setting health and adult social care policy in England, along with some matters that have not been devolved to the governments of Scotland, Wales or Northern Ireland. The report covers events immediately before May 12 and up until September 30, and is limited to the impact of WannaCry on the NHS in England. It also lays out specific recommendations that the health department and NHS England have agreed to implement to help it to better prevent and respond to future cyberattacks.
While the NAO report's findings pertain directly to the U.K. Department of Health and NHS England, WannaCry infections also hit 11 of the 14 territorial health boards in Scotland and two of its eight special health boards, authorities say. It's not clear how many physician groups, known as general practices or GPs, may have been affected. Authorities estimate that fewer than 600 appointments had to be cancelled or rescheduled as a result of WannaCry, but it's not clear if that figure takes into account GPs' surgeries.
Scotland says that it is continuing to put new cybersecurity practices in place, in part through its eHealth group, which is part of the Scottish government's Health & Social Care Directorate-General and analogous to NHS Digital in England.
"Scotland's public sector bodies take cybersecurity seriously. Following the WannaCry attack, eHealth is investing in the development of a National Information Security Management system, which will provide greater resilience, as well as central monitoring and control across NHS infrastructure," a spokeswoman for Scotland's Health and Sport Department tells ISMG. "A range of security measures is in place to ensure the public sector can respond appropriately to cyber-attacks. A further action plan to be published in November will help promote a common approach to cyber resilience across Scotland's public bodies."
A spokeswoman for the Northern Irish government tells ISMG that "Northern Ireland health and social care were not affected by WannaCry." She wasn't immediately able to comment on her government's response to the NAO report.
A Welsh government spokesman declined to comment on the NAO report. In May, the First Minister of Wales, Carwyn Jones, said that WannaCry "has not affected the integrity of NHS systems here in Wales, partly due to the resilience defenses already in place."
Officials say WannaCry infected more than 200,000 PCs in at least 100 countries. The NAO says it was the biggest cyberattack to ever hit NHS England, while acknowledging that many trusts had already faced and in some cases fallen victim to ransomware attacks (see Scottish Hospitals Hit by Bitpaymer Ransomware).
The NAO report found that the cybersecurity practices in place in the NHS were at best inadequate, while oversight of those practices by the government's Department of Health was nonexistent. While the department had issued warnings about the need for all NHS organizations to migrate off of Windows XP, for example, and urged them in March and April to install the critical updates to patch the flaws that WannaCry would exploit in May, "the department had no formal mechanism for assessing whether NHS organizations had complied with its advice and guidance."
Before the attack, furthermore, NHS Digital - England's national provider of information, data and IT systems for the NHS and affiliated organizations - "had conducted an onsite cybersecurity assessment for 88 out of 236 trusts, and none had passed," the NAO reports. "However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organization."
Enter WannaCry: At least 81 of England's 236 NHS trusts were disrupted by the ransomware although the Department of Health and NHS England "do not know the full extent of the disruption," the NAO found. "A further 603 primary care and other NHS organizations were infected by WannaCry, including 595 GP practices," it adds. "However, the department does not know how many NHS organizations could not access records or receive information, because they shared data or systems with an infected trust."
NHS Digital has told auditors that "it believes no patient data were compromised or stolen." But at least five accident and emergency departments were left unable to treat some patients, and NHS England estimates that at least 19,000 appointments had to be canceled, while acknowledging that it has no idea how many further appointments were canceled by general practitioners whose systems were infected by WannaCry, or how many patients and ambulances had to be diverted from A&E departments.
The NAO says NHS England informed it that no trusts infected with WannaCry had paid the ransom, and that NHS Digital wrote to all trusts on May 14 advising them not to pay. Regardless, security researchers have said that due to coding errors, whoever launched WannaCry would not have been able to tell which victims paid the ransom, meaning that any payments would likely not have resulted in victims receiving a decryption key.
The Department of Health was not able to estimate the total losses incurred by the ransomware outbreak, including canceled appointments, additional IT support by NHS bodies, the costs from incident response and remediation support provided by third-party consultants or the cost of restoring data.
Simple patching, meanwhile, could have prevented the WannaCry outbreak. "All NHS organizations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware," the report finds. "However, whether organizations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organizations against infection." The NAO adds that no WannaCry infections had traveled via the NHS's email system.
Plan: Untested, Not Communicated
The NAO found that while the Department of Health had developed a plan for responding to major incidents at a national level, it had neither "rehearsed for a national cyberattack" nor "tested the plan at a local level."
At 6:45 p.m. on May 12, NHS England declared the attack to be a "major incident" and began attempting to coordinate the response, but this was hampered by WannaCry having crypto-locked systems, leaving many unable to access their email. "Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application," the NAO report says. "Although not an official communication channel, national bodies and trusts told us it worked well during this incident."
Many Saved Thanks to Kill Switch
In some respects, the NHS was lucky. "The cyberattack could have caused more disruption if it had not been stopped by a cyber researcher activating a 'kill switch'" on the evening of May 12 that arrested the ransomware's crypto-locking capabilities," the NAO reports. "This meant that some NHS organizations had been infected by the WannaCry ransomware, but because of the researcher's actions, they were not locked out of their devices and systems."
Beginning May 15 and continuing until mid-September, NHS Digital found that devices in at least 92 more NHS organizations, including 21 trusts, suffered infections and attempted to "phone home" to the WannaCry domain.
The report makes multiple references to the kill switch, which was found by British security researcher Marcus Hutchins, aka MalwareTech. He was subsequently arrested by the FBI, while on a trip to this past summer's Black Hat conference in Las Vegas, on charges that he helped develop and sell Kronos banking malware (see WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online).
Based on the NHS's WannaCry response and failures, the NAO has recommended - and NHS Digital and the Department of Health have agreed - that NHS England must:
Plan: "Develop a response plan setting out what the NHS should do in the event of a cyberattack and establish the roles and responsibilities of local and national NHS bodies and the department";
Patch: NHS must ensure organizations pay attention to critical cybersecurity alerts, apply all designated software patches and ensure anti-virus software and signatures remain updated;
Communicate: "Ensure essential communications are getting through during an incident when systems are down";
Educate: "Ensure that organizations, boards and their staff are taking the cyber threat seriously, understand the direct risks to frontline services and are working proactively to maximize their resilience and minimize the impact on patient care."
"The NHS responded admirably to the situation. Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible," Dan Taylor, NHS Digital's head of security, says in a Friday statement. "We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organizations."
More Funding Allocated
In response to a query about whether any additional funding has been earmarked to help implement the report's recommendations, a U.K. Department of Health spokeswoman refers Information Security Media Group to an additional £21 million ($27.5 million) that has been allocated in 2017 and 2018 beyond the current £50 million ($65.6 million) that's been budgeted. According to a July Department of Health report, the funding is meant "to address key structural weaknesses, such as unsupported systems," with "major trauma sites" being "an immediate priority" as is improving "NHS Digital's national monitoring and response capabilities."
Ed Tucker, CIO of data protection firm DP Governance and former head of cybersecurity for HM Revenue & Customs, tells ISMG that the funding is "a significant amount, until you then break down the scale of the NHS. Then it becomes not very much -not very much at all." But he said some funding is better than no funding.
The funding is apparently also being used by the U.K. Department of Health for its Care Quality Commission, which regulates and inspects health and social care services in England, to run a pilot program conducting unannounced inspections of how the leadership at NHS trusts has been implementing specific cybersecurity recommendations. It says that 135 trusts and organizations have been assessed so far, and that based on the results of the pilot, the cybersecurity inspection program may become more widespread.
In addition, it's launched a new e-learning cybersecurity program that it says 30,000 NHS staff have completed so far. And NHS Digital has been providing threat intelligence and other security guidance via a program called "CareCert." A new CareCERTCollect portal has also been launched to disseminate critical CareCERT alerts, including patch guidance. The department says all NHS England organizations must comply with these alerts within 48 hours.
"The NHS has robust measures in place to protect against cyberattacks. Since May, we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cybersecurity inspections by the CQC, £21 million in funding to improve resilience in trauma centers and enhanced guidance for trusts," a U.K. Department of Health spokeswoman tells ISMG. "WannaCry was an international attack on an unprecedented scale, and staff worked incredibly hard to tackle it - so it is a credit to their efforts that no patients were harmed and no patient data was compromised, as the NAO itself has said."
Lessons For All
While the NAO's WannaCry report only looks at the NHS England and U.K. Department of Health responses, information security experts say it contains lessons that everyone should be learning, and not just in Britain's health service.
Any organization's senior executives and board of directors can immediately order their organization to simulate how it will respond to the next outbreak of WannaCry proportions and continue to test and refine those preparations. Because if there's one certainty in life, says Thom Langford, CISO of communications giant Publicis Groupe, it's that massive cyberattacks are a "not if, but when" proposition.
"Never forget to work out your response plan, however basic," Langford says via Twitter.