The WannaCry ransomware attack hit the NHS six months ago, but it’s still the main topic of NHS cyber security conversation. Not least because the National Audit Office put out a report just before ehi LIVE 2017 that many speakers felt was neither fair nor helpful. Matthew D’Arcy and Lyn Whitfield report.
Like a cold that’s hard to shake off, the WannaCry virus keeps coming back. Will Smart, the national chief information officer, told EHI Live 2017 that he hadn’t been going to mention it.
But then the National Audit Office published a report that concluded the NHS could have avoided what it called a “relatively unsophisticated” ransomware attack with “basic IT security.”
In its report, released on the Friday before the show, the NAO concluded that 81 trusts and around 600 GP practices were hit, and 19,500 appointments cancelled.
It found that while the Department of Health had been warned about the possibility of a cyber-attack, and its national agencies had taken some action, they had little idea what local organisations were doing to move away from unsupported systems or to install security patches.
Also, that response plans had been developed, but not implemented or tested in any kind of major incident drill. Watchdog head Sir Amyas Morse suggested the NHS needed to “get its act together” if it was going to be “better protected against future attacks”.
Not easy, not helpful
Smart felt some of this was unfair. As Dan Taylor, the head of security at NHS Digital’s Data Security Centre, also told the event, updating basic IT security in a system as complex as the NHS is not as easy as the NAO implied.
“Nothing is simple…” Taylor said, discussing the complexities of a large hospital trust. “You have 300 clinical servers, 600 applications, 14,000 devices, 8,500 staff. It is not simple to patch that.”
In addition, Smart added, two thirds of NHS trusts were unaffected on 12 May, and even those 19,500 appointments were just “one per cent of NHS activity at the time.” At trusts that were affected, “staff worked incredibly hard” to get systems back up and running, and to make sure patients were treated.
Other speakers felt blame was unlikely to help. Dr Saif Abed, a former junior doctor, and clinical advisor in healthcare IT, recalled that many media outlets had been keen to attribute blame in the immediate aftermath of the attack.
He said: “I got asked who do we blame? Is it the IT director’s fault? Is it NHS Digital’s fault? Is it [health secretary] Jeremy Hunt’s fault? It does not help anyone to go into the blame game.
“As much as he National Audit Office report said some salient things, that blame game element, I didn’t like it, and I don’t think it helps us to be co-operative. Why, as a clinician, am I being given ammunition to blame IT?”
Reaching the top of the shop
If there was a positive to come out of the attack, then it is much greater awareness of cyber security issues at both board and ward level.
Smart argued this must translate into action: “We got off quite lightly [during the WannaCry] and I don’t think the public will be so forgiving of another incident. We know there will be another attack, so we have to be as ready as we can be.”
Against this backdrop, some speakers felt it was a shame that cyber security was “segregated” into its own stream at the show. Taylor, who chaired a panel on evolving cyber threats facing the health service, echoed Smart when he said: “Cyber is now ‘a top of the shop issue’.”
“But,” he pointed out, “most of the time, when guest speakers like us are asked to speak, it is in side auditoriums. It is very rare when we are asked to speak on main stages. But in the modern world, data security is an issue for all of us. Our technology underpins the delivery of patient facing services. Perhaps we need to mainstream what we do a bit more.”
Dr Abed agreed with this. “Cyber security cannot remain in its own technical silo,” he told the panel. “It has to fit within the context of clinical risk, and clinical workflow. As a clinician, I couldn’t care less about the technical investment. I care about how I go about managing my patients. How do I keep up business as usual in a very high stakes environment?”
Holy social media channels
While he had some reservations about the NAO report, Smart said lessons would be learned from the WannaCry attack. Indeed, he said he was doing his own review, “looking at the response from 100 organisations” to check what needed to be done.
A theme that has come through strongly so far is the need for better communications from the centre to trusts when a major attack is underway; with advice on what not to do as well as what to do.
For instance, he said, some trusts switched off their NHSmail systems during the WannaCry attack, yet the N3 network and the NHS email system were not affected. So, the main impact of switching off NHSmail was to cut trusts off from sources of information and advice that went out using that route.
Some trusts turned to social media and peer to peer messaging systems. Taking note of this, the Health CIO Network and the CCIO Network are planning to launch an ‘NHS cyber security batsignal’ that can be used if official channels are out of action.
The bat-signal will run over an existing bulletin board. As Adrian Byrne, the chief information officer at University Hospital Southampton NHS Foundation Trust told digitalhealth.net this week, this means: “We will not require Commissioner Gordon’s team to put out the alert. We will be relying, instead, on responsible members of recognise significant events and notify others.”
Getting onto a war games footing
Back on the official front, Smart said a major incident drill based around a cyber-attack would be run in the coming months. Matthew Connor, head of IT at Southport and Ormskirk NHS Trust, told the panel that while steps could and should be taken to try and prevent an attack, it was important for them to be ready for when one hit.
“It’s about getting processes right in the organisation to be able to live without technology even for a short time,” he said. “When you are dealing with a risk of downtime or cyber-attack, every area of the business understands the impact for them.”
Dr Abed had experienced such a “war game” scenario. “When I was a junior doctor the entire PACS system for a major trust went down. There was no clear plan or process for requesting imaging. We were in disarray. But what happens in the context of a more sophisticated cyber security breach?
“It comes down to people and processes – if we can get used to a war game scenario, and what happens when things go down, if we know what we can do, we can minimise clinical harm.” With the drills to run, and Smart’s report due in January, WannaCry will continue to make its impact felt for some time yet.