The global ransomware crisis that hit the NHS in May has led to a lot of lessons being learned – and put cyber security firmly on the agenda of NHS trust boards. Matthew D’Arcy reports from the UK Health Show.
Sean Walsh did not expect to face what he describes as “Armageddon” 24-hours after completing his initial staff briefings as NHS Digital’s newly appointed senior information risk owner.
However, that’s what he faced when the WannaCry ransomware attack hit on 12 May this year. WannaCry was a relatively simple attack, that locked up systems and demanded a payment in the online currency, Bitcoin, to unlock them.
It wasn’t specifically targeted at the NHS. Some 300,000 computers in 150 countries were affected, and other big users of email, such as the international shipper FedEx, also went down.
Even so, the NHS was a high-profile casualty, with some estimates saying that 40 trusts in England and 11 health boards and the ambulance service in Scotland suffered disruption.
Learning communications lessons
Unsurprisingly, then, health service leaders are still looking to learn lessons. Speaking at The UK Health Show, Walsh said WannaCry was “the very best test of our capability and resources we could ever have wished for.”
But he acknowledged that the response from his organisation’s Data Security Centre was in some ways wanting. “Have we got it right so far? Not completely, no.”
At the top of Walsh’s list of things that went wrong was communications. NHS Digital first heard of the attack at around 12.30pm. Yet it took the agency more than four hours to issue any advice or communication to NHS organisations that were scrambling to respond to the fast moving, pervasive attack.
“We were able to set up our war room, our control centre, within 10 minutes of the first reports coming in,” Walsh told the Cyber Security in Healthcare conference at the show at Olympia, London last week.
“We are very conscious that in those early stages of event, one of those things we possibly didn’t do terribly well was to get some very fast communications out in the first 60 minutes. There was a tendency to delay until we had more technical details, more clarity. On reflection, I think that was a mistake.”
Even purdah, a communication restriction placed on public sector bodies in the run up to the general election, may have impacted on the speed of disseminating important updates, Walsh suggested.
NHS Digital has pledged to avoid an “information vacuum” in similar emergencies and provide “clearer, and much more purposeful” communications that leave out “mumbo, jumbo” and technical jargon.
Operating in an information vacuum
Chris Flynn, the security operations lead at NHS Digital’s Data Security Centre, also acknowledged that it had got some things wrong. Specifically, he said, it had failed to clarify which systems were not affected, and to issue advice on things not to do.
“We didn’t tell people specifically that NHSmail was safe,” he said. “We didn’t say it wasn’t [safe], but we didn’t say it was safe. We know that people pulled connections.
“Similarly, the N3 network wasn’t affected, but people were pulling connections. That massively impacted our ability to communicate.
“Over the course of the weekend, we issued 12 advisories. Pockets of the population didn’t receive that because they had pulled up the drawbridge.”
Andy Vernon, the director of ICT at Sheffield Teaching Hospitals NHS Foundation Trust, said his organisation was one of many “flying blind,” when WannaCry hit. During the early stages of the attack “we didn’t have a clear information source, other than the BBC website”, he said.
“The thing we really want more of is real-time information, and some creative thinking about the channels for providing it,” he added. “Lots of people closed down their boarders. Communication via email might not have been the best way to get back to us. We were all flying blind at the time it hit.”
Ready for next time?
Suppliers varied in their responses to WannaCry. “Some responses were really helpful, a great many of them weren’t,” said Vernon.
Some suppliers set up helpful telephone conferences, at which they shared what they knew. “I went onto a call on Sunday afternoon with 100 people, in which we were able to get a real fix on what was happening, people’s experiences, and what people had done.”
The health service will be hit by further cyber security incidents. Trusts have already reported disruption from another bit of ransomware, known as Bitpaymer. And there are simply too many generic attacks launched at the world’s IT systems for there not to be more.
Mike Hullet, head of operations at the National Cyber Crime Unit, told the conference that there are now an estimated 2.5 million cyber-crimes each year that require some kind of government or law enforcement response. “Have we got the resource to do it? Now, we don’t.”
Vernon agreed that there was now a continual “arms race with the bad guys”; but he said what worried him was the idea of those bad guys targeting the NHS specifically.
In comparison with WannaCry, “a concerted attack on the NHS could be much more destructive”, he said. “That’s what keeps me awake at night.”
No longer a hypothetical threat
Meantime, WannaCry may just have had some good effects. The conference heard that it had taken such a large scale cyber-attack to make the issue of cyber security a real, rather than a hypothetical issue for the NHS.
Kirsten Major, the deputy chief executive at Sheffield Teaching Hospitals, said in a video address that there had been a “huge increase in awareness”, at her trust and that lessons had been learned.
Pre-attack work had put the trust in a good place when WannaCry hit, she said, but even so: “I learned personally a huge amount about cyber security I didn’t know before that weekend.”
NHS Digital used the conference as a public platform to both acknowledge the need to improve and to announce some new tools for doing so.
These included having the right communications in place, a cyber ‘playbook’ for emergencies in which key roles and responsibilities are set out, and greater use of regional NHS leads. As Hullett summed up, “If it [cyber security] wasn’t a boardroom issue before, it certainly is now.”