WannaCry in the NHS: who takes responsibility?

News by SC Staff

In the wake of the WannaCry ransomware which took out over 60 NHS trusts, SC ponders on where the blame lays.

Even before Friday's cyber-attack, NHS frontline staff had been stretched during a tough winter during which, the Red Cross called a “state of emergency” with warnings of an alleged shortage of nearly 40,000 nurses by 2026 thanks to Brexit.

It's safe to say the NHS is in dire financial straits and as we can all now see, its IT systems have not escaped these funding constraints.

A ransomware-worm by the name of WannaCry made the rounds on NHS IT, and thanks to the prolific use of unpatched Windows XP machines managed to infect and encrypt around 200,000 known victims, including over 60 NHS trusts, and some NHS trusts in Ireland were alleged to have suffered the same fate, along with a host of overseas organisations.

The cost of the attack is unknown at present, but Graeme Newman, chief innovation officer, CFC Underwriting is predicting that the global malware attack could cost UK business more than £100 million.

A rudimentary SC analysis of three BitCoin wallets linked to the individual(s) orchestrating the attack shows that by lunchtime today they had gained £39,000 in ransom payments and that figure is expected to rise as people infected weigh up the cost of paying up or losing the files on their computer - though this initial rate of payment is remarkably low.

In a statement on its website, BMA council chair Mark Porter said: “This cyber-attack on NHS information systems is extremely worrying for patients and the doctors treating them. There have been reports of hospital doctors and GPs unable to access patients' medical records, appointment booking systems and in some cases having to resort to pen and paper.”

As expected during a General Election, the blame game and political mudslinging matches are well underway.

According to the Guardian newspaper, leader of the Labour party, Jeremy Corbyn, has expressed anger the Conservative government failed to renew a £5.5 million cyber-security deal with Microsoft over a year ago.

The Liberal Democrats have also criticised the Conservative government. Again, according to the Guardian newspaper, the Liberal Democrat home affairs spokesman, Brian Paddick, said: “We need to get to the bottom of why the government thought cyber-attacks were not a risk, when a combination of warnings and plain common sense should have told ministers that there is a growing and dangerous threat to our cyber-security.”

Jonathan Ashworth, Labour's shadow health minister wrote a letter to Jeremy Hunt, government's Minister for Health on Saturday, asking him to “publicly outline the immediate steps you'll be taking to significantly improve cyber-security in our NHS.”

This followed news that in the last year a billion pounds had been taken out of infrastructure in order to plug wider funding gaps in the NHS. According to figures seen by HSJ, more than £3 billion is set to be moved from an NHS investment fund elsewhere by 2020, part of which is spent on the NHS' IT infrastructure, to help fill funding gaps elsewhere in the NHS.

So it might not be outlandish to assume that the NHS simply did not have the money to upgrade its systems and ensure they are patched with all the latest security updates, and instead chose to spend it on frontline staff and healthcare. However, some commentators have claimed this is not all down to money and funding of the NHS.

Chris Sutherland, chief information security officer at Universities and Colleges Shared Services Limited, opined on LinkedIn that, “We security people tend to forget that we are overhead in our own organisations. When we continue roadblock business objectives without adding any value, or effectively communicating value, the business side of the organisation is right to ignore us. The only thing we can really do to avoid this sort of thing again is learn to talk ‘suit.' We need to be able to convey the true business risks to business executives in business terms. Businesses were vulnerable to this attack because we security people failed to effectively communicate the business risks and impacts of not patching MS 17-010.”

This could be argued as the main factor behind why this ransomware epidemic managed to infect so many computers so quickly. Many organisations, the NHS included, will have done the risk assessment and cost comparison of becoming infected and the cost of actually applying patches to IT systems and made the decision based upon that. Upgrades cost money, and if the NHS failed to justify these, the money would be spent elsewhere.

Another prominent IT security commentator, also writing on LinkedIn but asking not to be attributed, pointed the finger at IT security vendors. He writes: “Had the software vendors not charged over the odds for their software, had the IT consultants not tried to rip them off. Would the NHS have been able to move off their legacy IT solutions and therefore into a patchable environment and kept themselves in a safer IT environment? I think some blame has to lie with the IT vendors who see government services such as education and healthcare as a cash cow and charge over-the-odds for  services.”

And the story doesn't end there for IT security companies: over the weekend it emerged that Sophos, a well-known cyber-security firm, whose security software is allegedly installed on 80 percent of the NHS's computers failed to protect the NHS from the attack.

Kevin Beaumont, a prolific cyber-security commentator on Twitter pointed out the IT vendor's website changed from saying “The NHS is totally protected with Sophos” to “Sophos understands the security needs of the NHS”.

SC has approached Sophos to inquire about the situation and how it responds to allegations that its software installed on NHS end-points failed the detect the WannaCry malware. A spokesperson for Sophos said: “Within the NHS there are multiple Trusts and organisations, all of whom make independent IT decisions. There is no overall body governing IT security decisions. Many of these NHS organisations choose Sophos to supply some of their security software or hardware. While some of the affected customers were indeed Sophos customers, others were not."

It added: "In fact, in many cases, Sophos was able to proactively protect our customers with our Sophos Intercept X and Sophos Exploit Prevention (EXP) products which blocked the ransomware behaviour in all known cases from the outset. We published an update within hours of discovering the threat so our Endpoint Protection also now blocks all known variants.The vast majority of our NHS customers did not experience an issue and we've been working over the weekend to actively support those that did have an issue to ensure their protection is up to date and their computers are patched. To ensure that all our NHS customers are able to benefit from proactive protection against any new attacks, we have now offered Sophos Intercept X and Sophos Exploit Prevention free of charge for a limited period.”

In defence of Sophos, which is a well known IT security software vendor, it has jumped to release lots of guidance on responding to the WannaCry ransomware epidemic. But given the past reputation of IT security software vendors on over-promising and under-delivering on their products capabilities, if the allegations are true, Sophos surely has questions to answer.

As the National Crime Agency, European police force Europol, and the National Cyber Security Centre continue to investigate the attack, we can be sure to see more finger pointing and blame dealt.

Ken Munro, partner at security firm Pen Test Partners wrote of the silver linings of the attack, reminding us that no data was stolen, the attack wasn't targeted at the NHS, WannaCry itself isn't great malware and although it is extremely stressful for IT staff, a ransomware infection can easily be fixed using backups. And the last point is largely true; all but six of the 60 NHS Trusts infected have now resumed operation.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews