On 12th May last year, the previously-unknown WannaCry ransomware struck Britain, taking over hundreds of systems at various organisations, encrypting enterprise data, and significantly impacting operations at targeted organisations.
Of all UK organisations impacted by the WannaCry ransomware attack, the NHS was the hardest hit. Figures released by the UK's National Audit Office have revealed that the ransomware attack affected 45 NHS organisations including 37 trusts on the first day and at least 81 out of 236 trusts across England, 595 GP practices, and 603 primary care and other NHS organisations were impacted during the course of the campaign.
Even though a 22-year-old computer expert from Devon finally helped destroy the WannaCry ransomware after discovering its "kill switch", the National Audit Office believes that it was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
It noted that even after being alerted by the Department and Cabinet Office in 2014, who warned about the dangers of using outdated software, NHS trusts did little to update or replace legacy software used at clinics and hospitals. At the same time, the Department of Health had no formal mechanism to assess whether local NHS trusts and hospitals were complying with best practice guidelines to prevent cyber-attacks.
The lack of visibility was such that even now, neither the Department nor NHS England knows how many GP appointments were cancelled, how many patients were diverted, or how much the disruption to services cost the NHS. According to NAO, the disruption could have been much worse if the ransomware had not been stopped by a cyber-researcher activating a ‘kill switch'.
"Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands & East NHS region. NHS England believes more organisations were infected in these regions because they were hit early on 12 May before the WannaCry ‘kill switch' was activated," it noted.
"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the National Audit Office.
The Audit Office also observed that the NHS had not rehearsed for a national cyber-attack, it was not immediately clear who should lead the response as there were problems with communications, that locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application, that infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware, and that the NHS has accepted that there are lessons to learn from WannaCry and is taking action.
It added that regardless of the fact that NHS organisations had unpatched and old operating systems that were vulnerable to WannaCry, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
Commenting on the findings of the National Audit Office, Dr Anton Grashion, managing director for security practice at Cylance, said that even though the findings of the NAO are comprehensive and accurate, it did not include the fact that WannaCry could have been controlled had their front line AV defence been different.
"This doesn't detract from their findings, preparation for an incident; control of unauthorised sharing and data; upgrading unpatchable systems (although the AV engine that could have stopped WannaCry supports systems back to Windows XP SP3) are all indisputable. However WannaCry could be stopped and that was not part of findings of the investigation," he said.
Javvad Malik, security advocate at AlienVault, told SC Magazine UK that the NAO findings are useful not just for the NHS, but other organisations that are looking for advice into what steps they can take to build cyber resilience.
"Fundamental security controls and hygiene could have prevented, or at least minimised the impact of WannaCry. But perhaps even more telling is that while the Department of Health had an incident response plan, it was neither communicated nor tested. Without a clearly communicated and tested incident response plan, trying to make one up during an incident is a recipe for disaster.
"It becomes increasingly important for all organisations of all sizes to invest in cyber-security. It doesn't necessarily need to be huge investments, but care should be taken that the fundamental security controls are put in places and validated, as well as testing an incident response plan," he said.