NHS’s Response to WannaCry Shows Exactly How Not To Protect Yourself Against Malware
By Tim Mullahy – Executive Vice President and Managing Director at Liberty Center One,
The NHS in the UK was one of the hardest-hit by the WannaCry ransomware – so you’d expect them to have improved their security since right? Wrong, apparently.
By now, you’ve probably read enough about WannaCry – the global ransomware that served as an unpleasant wakeup call to many organizations around the world. The National Health Service (NHS) in the United Kingdom should have been one of those organizations. After all, in the wake of the ransomware epidemic, at least 81 of the 236 trusts across the country were impacted.
The worst part about that statistic is that the attack was completely preventable, according to a report released in October by the National Audit Office.
“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients,” explained NAO head Amyas Morse. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
If WannaCry wasn’t enough of a wakeup call, that should have been. And yet in a recent parliamentary hearing, it was revealed that every single NHS trust assessed for security vulnerabilities has failed to meet the standard requirements.
Granted, the bar is set pretty high for these organizations. They do, after all, manage the healthcare data of thousands of residents – data as sensitive as gets. But that’s still no excuse.
It’s still unclear what’s gone wrong in the NHS. The agency has had every opportunity to improve its security posture, and every reason to seize those opportunities. That so many trusts have remained lax is almost shocking.
On the plus side, NHS’s response reads like a laundry list of what not to do where malware and ransomware is concerned…
●They failed to keep their systems up to date, allowing WannaCry to exploit a positively ancient vulnerability.
●The NHS didn’t have anything resembling an adequate disaster recovery plan, nor did they have much in the way of backups.
●There was no capacity to airgap systems compromised by the ransomware, nor were there monitoring tools in place to detect the malware before the infection grew too large.
●The agency ignored repeated cybersecurity assessments notifying them that their security was inadequate – before the WannaCry incident, 88 of 200 trusts failed.
●There were no backup systems for doctors and nurses to use, meaning they were left floundering by WannaCry.
●It’s unclear if NHS had any sort of antimalware software in place, but it seems unlikely.
A pretty unfortunate list, isn’t it? Fortunately, now that you know what NHS didn’t do, you can get a decent handle on what you should do. It’s imperative that you’re proactive in protecting your business and its data from ransomware – and from any other malware, you might encounter.
Otherwise, you might soon find yourself in the same boat as the NHS.