Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
April 19, 2018

Sign up to free email newsletters

Download

Want a Future-Proof Cyber Security Strategy? Look at Physical Security Now

NHS is “not alone” in its inertia post-WannaCry, says cybersecurity chief

A year on since the WannaCry cyber-attack led to 20,000 cancelled hospital appointments the NHS has yet to agree an action plan, according to a report by MPs.

In the wake of the ransomware attacks, which swept across Europe last June, the NHS published a review, Lessons Learned, which featured 22 recommendations for strengthening the organisation’s cybersecurity policies and protections.

However, the plans have neither been put in place, scheduled for implementation, nor costed by the Department of Health, a Public Accounts Committee report found.

A senior cybersecurity executive has said the NHS is hardly an outlier when it comes to its inadequate preparations for the evolving cyber threat.

“The Public Account Committee’s report into the NHS WannaCry cyber-attack highlights a lack of preparedness for attacks of this nature, but the NHS is not alone in this,” said Andrew Beckett, managing director of Kroll’s cyber security and investigations division. We still see many businesses which are unaware of how to effectively mitigate the growing threat of cyber-attacks.

“Organisations fail to communicate their plans across the business and prepare subsidiaries and senior executives outside of the security and IT departments for such threats.” Andrew Beckett, managing director, Kroll’s cyber security and investigations division

“Most organisations have begun to invest in plans, but, like the NHS, failed to communicate them across the business and prepare subsidiaries and senior executives outside of the security and IT departments for such threats.”

The Public Accounts Committee report also noted that NHS organisations have a lot to do to adequately strengthen their cyber-resilience. Some 200 NHS trusts have failed an on-site cybersecurity assessment – some even neglecting to patch systems, a relatively basic precaution. Unpatched systems was the main reason the NHS had been vulnerable to WannaCry.

Serious vulnerabilities

“The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cybersecurity and response plans of the NHS,” Committee chair Meg Hillier said. “But the impact on patients and the service more generally could have been far worse and government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.

“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.

“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.

She added: “This case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”

The Public Accounts Committee report recommended that the Department of Health should:

  • Provide an estimate of the cost to the NHS of WannaCry and how national bodies should align investment with service and financial risks.
  • Support local organisations to enhance cybersecurity protections and resilience in the event of attacks
  • Establish how local systems can be updated while minimising disruption to services
  • Make sure IT suppliers are accredited and incorporate into local and national contracts terms to protect the NHS against cyber-attacks;
  • And emphasise IT and cybersecurity skills in local and national workforce plans

Nearly one in five (18%) of businesses suffered a ransomware attack last year, up from 13% the previous year, according to research by Kroll.

The cybersecurity firm’s MD for cyber security and investigations offered these recommendations: “As outlined in this report, it is crucial for businesses to not only have a plan in place but to conduct simulations and test their plans before an attack takes place,”  Organisations also need to ensure that their critical suppliers are protected against these and other cyber-attacks.

“The report emphasises that this incident was a result of several failures, such as trusts not securing their operating systems, managing firewalls and upgrading patches, and not solely one act.

“We hope that other organisations also now take the initiative to look at protecting themselves from ransomware and other forms of malware in a holistic way, including vulnerability assessments, investing in software and ensuring it is regularly updated, developing well thought-out backup and recovery plans and creating processes that are clearly communicated to employees.”

Free Download: Cybersecurity and physical security systems: how to implement best practices

Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.

Related Topics

Leave a Reply

avatar
  Subscribe  
Notify of
Topics:

Sign up to free email newsletters