Postmortem Finds NHS ‘Could Have Prevented’ WannaCry
Anti-Malware
,
Governance
,
Incident Response
Basic Cybersecurity Defense Every Day Keeps the Ransomware Infections at Bay
The National Health Service in England should have been able to block the “unsophisticated” WannaCry ransomware outbreak that hit the world in May, government auditors say. But the failure of so many NHS trusts and organizations to block WannaCry means that unless substantial cybersecurity improvements get made, the NHS will remain easy pickings for online attackers
(see British Security Services Tie North Korea to WannaCry).
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
On Friday, the National Audit Office, an independent Parliamentary body that audits central government department and agencies and some public bodies, released the results of its NHS England probe in a report: Investigation: WannaCry cyber attack and the NHS.
“The WannaCry cyberattack had potentially serious implications for the NHS and its ability to provide care to patients,” Amyas Morse, who heads the NAO, says in a Friday statement. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The NAO report focuses on the Department of Health – the U.K. government department responsible for setting health and adult social care policy in England, along with some matters that have not been devolved to the governments of Scotland, Wales or Northern Ireland. The report covers events immediately before May 12 and up until September 30, and is limited to the impact of WannaCry on the NHS in England. It also lays out specific recommendations that the health department and NHS England have agreed to implement, to help it to better prevent and respond to future cyberattacks.
While the NAO report’s findings pertain directly to the U.K. Department of Health as well as NHS England, at least some other organizations across Britain appear to have been disrupted by WannaCry. Officials at NHS Scotland, NHS Wales and NHS Northern Ireland didn’t immediately respond to requests for comment on the impact of WannaCry on health organizations in their countries, or to the NAO findings, and if they have already implemented the NAO’s recommendations.
Poor Cybersecurity Practices
Officials say WannaCry infected more than 200,000 PCs in at least 100 countries. The NAO says it was the biggest cyberattack to ever hit NHS England, while acknowledging that many trusts had already faced and in some cases fallen victim to ransomware attacks (see Scottish Hospitals Hit by Bitpaymer Ransomware).
The NAO report found that the cybersecurity practices in place in the NHS were at best inadequate, while oversight of those practices by the government’s Department of Health were nonexistent. While the department had issued warnings about the need for all NHS organizations to migrate off of Windows XP, for example, and urged them in March and April to install the critical updates to patch the flaws that WannaCry would exploit in May, “the department had no formal mechanism for assessing whether NHS organizations had complied with its advice and guidance.”
Before the attack, furthermore, “NHS Digital had conducted an onsite cybersecurity assessment for 88 out of 236 trusts, and none had passed,” the NAO reports. “However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organization.”
Massive Outbreak
Enter WannaCry: At least 81 of England’s 236 NHS trusts were disrupted by the ransomware although the Department of Health and NHS England “do not know the full extent of the disruption,” the NAO found. “A further 603 primary care and other NHS organizations were infected by WannaCry, including 595 GP practices,” it adds. “However, the Department does not know how many NHS organizations could not access records or receive information, because they shared data or systems with an infected trust.”
England’s national provider of information, data and IT systems for the NHS and affiliated organizations, NHS Digital, has told auditors that “it believes no patient data were compromised or stolen.” But at least five accident and emergency departments were left unable to treat some patients, and NHS England estimates that at least 19,000 appointments had to be canceled, while acknowledging that it has no idea how many further appointments were canceled by general practitioners whose systems were infected by WannaCry, and how many patients and ambulances had to be diverted from A&E departments.
The NAO says NHS England informed it that no trusts infected with WannaCry had paid the ransom, and that NHS Digital wrote to all trusts on May 14 advising them not to pay. Regardless, security researchers have said that due to coding errors, whoever launched WannaCry would not have been able to tell which victims paid the ransom, meaning it likely would not have been effective.
The Department of Health was not able to estimate the total losses incurred by the ransomware outbreak, including cancelled appointments, additional IT support by NHS bodies, the costs from incident response and remediation support provided by third-party consultants or the cost of restoring data.
Simple patching, meanwhile, could have prevented the WannaCry outbreak. “All NHS organizations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware,” the report finds. “However, whether organizations had patched their systems or not, taking action
to manage their firewalls facing the internet would have guarded organizations against infection.” The NAO adds that no WannaCry infections had traveled via the NHS’s email system.
Plan: Untested, Not Communicated
The NAO found that while the Department of Health had developed a plan for responding to major incidents at a national level, it had neither “rehearsed for a national cyberattack” nor “tested the plan at a local level.”
At 6:45 p.m. on May 12, NHS England declared the attack to be a “major incident” and began attempting to coordinate the response, but this was hampered by WannaCry having crypto-locked systems, leaving many unable to access their email. “Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application,” the NAO report says. “Although not an official communication channel, national bodies and trusts told us it worked well during this incident.”
Many Saved Thanks to Kill Switch
In some respects, the NHS was lucky. “The cyberattack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch'” on the evening of May 12 that arrested the ransomware’s crypto-locking capabilities,” the NAO report notes. “This meant that some NHS organizations had been infected by the WannaCry ransomware, but because of the researcher’s actions, they were not locked out of their devices and systems.”
Beginning May 15 and continuing until mid-September, NHS Digital found that devices in at least 92 more NHS organizations, including 21 trusts, suffered infections and attempted to “phone home” to the WannaCry domain.
The report makes multiple references to the kill switch, which was found by British security researcher Marcus Hutchins, aka MalwareTech. He was subsequently arrested by the FBI while on a trip to this past summer’s Black Hat conference in Las Vegas, on charges that he helped develop and sell Kronos banking malware (see WannaCry ‘Hero’ Pleads Not Guilty, Allowed Back Online).
4 Recommendations
Based on the NHS’s WannaCry response and failures, the NAO has recommended – and NHS Digital and the Department of Health has agreed – that NHS England must:
- Plan: “Develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the department”;
- Patch: NHS must ensure organizations pay attention to critical cybersecurity alerts, apply all designated software patches and ensure anti-virus software and signatures remain updated;
- Communicate: “Ensure essential communications are getting through during an incident when systems are down”;
- Educate: “Ensure that organizations, boards and their staff are taking the cyber threat seriously, understand the direct risks to frontline services and are working proactively to maximize their resilience and minimize the impact on patient care.”
Lessons For All
While the NAO’s WannaCry report only looks at the NHS England response, information security experts say it contains lessons that everyone should be learning, and not just in Britain’s health service.
“Senior execs should put this on their reading list, now. Learn from the mistakes of others. Don’t repeat history,” says Alan Woodward, a computer science professor at the University of Surrey, via Twitter.
Any organization’s senior executives and board of directors can immediately order their organization to simulate how it will respond to the next outbreak of WannaCry proportions and continue to test and refine those preparations. Because if there’s one certainty in life, says Thom Langford, CISO of publishing giant Publicis Groupe, it’s that massive cyberattacks are a “not if, but when” proposition. “Never forget to work out your response plan, however basic,” he says via Twitter.