Despite the fact that almost a year has passed since WannaCry infiltrated the NHS, the UK’s national health service has yet to fully learn from the mistakes that rendered it vulnerable to attack in the first place.

Despite the fact that almost a year has passed since WannaCry infiltrated the NHS, the UK’s national health service has yet to fully learn from the mistakes that rendered it vulnerable to attack in the first place.

A recent report published by the government highlights the impact of the attack and lessons that need to be learned as a result.

While the risk to patient data is the main focus of this report, and is often viewed as the weakest point for the NHS, it is important to remember the other aspects of healthcare that were also affected by the attack and remain vulnerable to ransomware.

The impact of WannaCry

Hospitals and health centres of every size rely on equipment to carry out a multitude of tasks, from machines conducting everyday blood and tissue tests to expensive MRI scanners.

Although less obvious, medical devices such as these are also at the mercy of cyberattacks, with over 1,200 pieces of diagnostic equipment affected by WannaCry last May, and additional equipment put out of use to prevent the ransomware from spreading. As a result, delays in test processing and the communication of results were just the tip of the iceberg in terms of patient impact.

Top three security challenges

The cyberattack last year showed the effect a mass IT outage can have on the NHS, crippling vital healthcare services around the country. It also highlights that security should be one of the top healthcare priorities, as the nation as a whole relies on the industry 24/7.

But healthcare professionals face a range of challenges to meet the security standards required to prevent attacks such as WannaCry from affecting their equipment. While the NHS still grapples with how to remain fully secure, here are three priorities that should be top of the list:

1. Devices hold data that can be accessed wirelessly

One clear problem is that many devices have the ability to store personally identifiable information (PII), which highlights these in particular as security risk. Should these devices be hacked, the information they hold could be compromised.

Increasing this risk is the fact that these devices can be connected to the network either wired or wirelessly. While the wired equipment stays put, the wireless devices can be taken anywhere in the facility, making the job of keeping track of them all the more difficult.

2. Not all devices accept malware protection or system patches

Despite the increasing risk of cyberattacks, most medical devices have restrictions on software updates to malware protection products and operating system patches, preventing the equipment from maintaining its frontline security.

These unprotected devices can therefore unintentionally serve as entry points for cyberattacks, leaving the entire network vulnerable. To make matters worse, devices are still in use today that are too old to be patched at all.

3. IT professionals lack visibility into network devices

Without an accurate and up-to-date map of all of the devices that exist in a healthcare facility, IT leaders and their teams have no feasible way to track the equipment that is in use at any one time.

The issue this raises in relation to attacks is that it becomes difficult to see where malware has infiltrated one or more devices, as there is currently no system in place to monitor this.

How the NHS can prepare for next time

With ransomware, it is a case of when, not if, another attack will occur. As recent reports have highlighted, cyberattacks can have a devastating impact on the NHS due to the critical nature of the service it provides.

To prevent it from suffering to the extent it did with WannaCry again, the UK government has invested an additional £196 million in cybersecurity up to 2020. But what should the NHS use this funding for?

A ‘lessons learned review’ published by NHS England recommends that all NHS organisations develop plans to comply with the Cyber Essentials Plus standards by June 2021, which will ensure a minimum level of cybersecurity is maintained; these are to be published in June 2018.

The review also recommends that processes be in place to manage third-party contracts for IT systems and devices, to confirm that security updates are standard practice.

As part of this, NHS organisations would benefit from implementing a network management system that can protect their network and keep all the medical devices secure, thereby reducing the likelihood of another attack taking effect.

Having centralised network access control is non-negotiable from a security perspective, and therefore integrating a system that can provide this effectively is crucial.

WannaCry can be seen as a warning shot, a very successful one at that, but what is most important now is preventing another attack with the potential to bring the NHS to its knees. Now is the time to act, not after the next attack.


Share this article