A year on since the WannaCry cyber-attack led to 20,000 cancelled hospital appointments the NHS has yet to agree an action plan, according to a report by MPs.In the wake of the ransomware attacks, which swept across Europe last June, the NHS published a review, Lessons Learned, which featured 22 recommendations for strengthening the organisation’s cybersecurity policies and protections.
However, the plans have neither been put in place, scheduled for implementation, nor costed by the Department of Health, a Public Accounts Committee report found.
A senior cybersecurity executive has said the NHS is hardly an outlier when it comes to its inadequate preparations for the evolving cyber threat.
“The Public Account Committee’s report into the NHS WannaCry cyber-attack highlights a lack of preparedness for attacks of this nature, but the NHS is not alone in this,” said Andrew Beckett, managing director of Kroll’s cyber security and investigations division. “We still see many businesses which are unaware of how to effectively mitigate the growing threat of cyber-attacks.
“Organisations fail to communicate their plans across the business and prepare subsidiaries and senior executives outside of the security and IT departments for such threats.” Andrew Beckett, managing director, Kroll’s cyber security and investigations division
“Most organisations have begun to invest in plans, but, like the NHS, failed to communicate them across the business and prepare subsidiaries and senior executives outside of the security and IT departments for such threats.”
The Public Accounts Committee report also noted that NHS organisations have a lot to do to adequately strengthen their cyber-resilience. Some 200 NHS trusts have failed an on-site cybersecurity assessment – some even neglecting to patch systems, a relatively basic precaution. Unpatched systems was the main reason the NHS had been vulnerable to WannaCry.
“The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cybersecurity and response plans of the NHS,” Committee chair Meg Hillier said. “But the impact on patients and the service more generally could have been far worse and government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.
“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.
“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.
She added: “This case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”
The Public Accounts Committee report recommended that the Department of Health should:
Nearly one in five (18%) of businesses suffered a ransomware attack last year, up from 13% the previous year, according to research by Kroll.
The cybersecurity firm’s MD for cyber security and investigations offered these recommendations: “As outlined in this report, it is crucial for businesses to not only have a plan in place but to conduct simulations and test their plans before an attack takes place,” Organisations also need to ensure that their critical suppliers are protected against these and other cyber-attacks.
“The report emphasises that this incident was a result of several failures, such as trusts not securing their operating systems, managing firewalls and upgrading patches, and not solely one act.
“We hope that other organisations also now take the initiative to look at protecting themselves from ransomware and other forms of malware in a holistic way, including vulnerability assessments, investing in software and ensuring it is regularly updated, developing well thought-out backup and recovery plans and creating processes that are clearly communicated to employees.”
