Damning report finds despite WannaCry attack, NHS still not patching
It would seem despite the massive WannaCry attack that occurred almost exactly a year ago, the United Kindgom’s National Health Service (NHS) still has not learnt its lesson.
A damning government report has emerged that reveals the true state of affairs. The NHS recently assessed the cybersecurity level of 200 trusts and shockingly, every single trust failed the cybersecurity test - in some cases because they had failed to apply crucial patches to their systems, which is the what opened the doors to the WannaCry attack in the first place.
However, the report stated that the Department for Health (DfH) and NHS Digital stressed that the trusts failed the assessments not because they had not done anything on cybersecurity, but rather because the Cyber Essentials Plus standard on which they are tested against is a high bar.
No matter what they say however, it is still extremely concerning that some of the trusts STILL are not applying critical patches.
The report found that around 80 of England’s 236 NHS trusts were infected by the ransomware in addition to more than 600 more NHS organisations such as GP practices.
The attack was declared a “major incident” by the NHS and resulted in the cancellation of almost 20,000 operations and hospital appointments. Despite this, the DfH has no indication of how much money WannaCry cost the NHS, stating that its focus at the time was on caring for patients.
There were several other concerning facts that came from the report, including the fact that despite the DfH, NHS England and NHS Improvement publishing 22 recommendations for improving the NHS’ cybersecurity back in February, plans for implementation are yet to be agreed upon and the DfH has no idea when it will happen or how much it will cost.
The issue is that many local bodies are unable to apply patches and updates to IT systems without disrupting patient care given many are interdependent on each other.
There have been some progress though, with the DfH investing nearly £200 million since the WannaCry attack in various improvements to cybersecurity up to 2020, including more support resources for vulnerable organisations, improvements to local infrastructure and addressing major security gaps in major trauma centres and ambulance trusts.
Cybereason intelligence services senior director Ross Rustici says cybersecurity is not a bolt-on after the fact, or a wound to be triaged, but rather it should be foundational.
“If the NHS or any other government entity viewed cybersecurity as fundamental to their operations as the ability to assure the physical safety of the public or patients in NHS's case, then the NHS would never have suffered from WannaCry to begin with because it would have used the ample time it had to adequately patch their network,” says Rustici.
“The failures of the NHS to implement the cybersecurity recommendations are not a new struggle nor are they limited to the NHS. Government entities at the national and local level have a complex set of challenges often under conditions of shrinking budgets. An increased spend on cybersecurity often necessitates a reduction of spending in an area that is seen as providing primary services.”
Rustici says despite this stark reality, it demonstrates a failure in institutions to keep up with the current reality they face, and this security spending gap will never be addressed until cybersecurity is viewed as a fundamental necessity when new buildings, institutions, and services are being rolled out.
“It is far easier and cheaper to keep a network healthy than it is to recover and strengthen a network after it has been severely compromised. The UK is now in the position of either having to allocate a lot of new funding to get NHS back to a steady state of healthy or accept the inherent risk of having a weakened security posture in an increasingly hostile environment,” concludes Rustici.