Putting the NHS to Ransom by Jeremy Swinfen Green

Jeremy Swinfen Green

Jeremy Swinfen Green is Head of Consulting for Teiss Cyber Security




The WannaCry ransomware crisis in the NHS has subsided, thankfully. And while it is fairly clear that the NHS wasn’t directly targeted it’s worth asking whether it could be targeted in the future and why it was so badly affected this time round.

Ransomware attacks tend to be of two types: the common or garden spam-based attacks where a small ransom, generally in the region of £300 is demanded; and “whaling” attacks where an individual organisation faces demands of many thousands of pounds.

The spam-based attacks only ask for a small amount of money on the basis that more people are likely to pay up without questioning. Indeed for a small business that has backed up its data, paying the ransom rather than using the back up may make financial sense, given the disruption that restoring data can involve.

(Note: paying a ransom is borderline immoral and there is no guarantee that you will get you data back in any case. Best to back up – and practice restoring data on a regular basis!)

In the case of WannaCry the attack was a random one, spread by malware rather than email, but with the aim of making a lot of money from a large number of small payments. The NHS was affected, along with many other organisations including large businesses, because it had many computers running a 16 year-old operating system, Windows XP.

Outdated Technology

The Government has been castigated by some commentators for not renewing a £5.5 million Premier Services Agreement (PSA) with Microsoft to continue servicing Windows XP run by the NHS by providing patches (i.e. repairing newly discovered weaknesses).

And indeed they did decide not to renew this contract. This doesn’t seem to have been a money saving exercise however. Rather it was an attempt to force slow moving parts of the NHS to move to a more modern operating system such as Windows 7.

And force was clearly needed. Back in October 2014 it was reported that a large number of trusts had failed to sign up to the £5.5 million contract.  More than 2 years on and we are seeing the result of the failure of some, a small number, of NHS managers to take cyber security seriously.

Why have some trusts been so slow to defend themselves? Some people have suggested that it is incompetence on the part of IT managers. That may, in a very few cases, be part of the answer. But it is more complex than that.

An Attitude Problem?

In part this is a problem of culture. If the top of an organisation decides that there are more important things to focus on than cyber security then it is likely that those lower down will get that message.

There is also caution: with IT systems that are an integral part of critical life-or-death systems, it is natural to be cautious about making changes. Patches need to be tested before they are applied in case they cause unforeseen problems.

And there may also have been complacency.  UK Home Secretary Amber Rudd was at pains to emphasise that “patient data was not at risk” during the attack, as if this was the most important thing to worry about.

Is this attitude at the centre of the problem? Are we seeing a focus on data confidentiality, at the expense of data integrity and data access? In other words does the NHS care more about keeping data safe than it does about maintaining efficient operations?

The government, and NHS managers, need to realise that there are three elements to cyber security: keeping data confidential, stopping people tampering with data, and ensuring that authorised people can get access to data. A focus on just one element won’t cut it.

The Future of Cyber Crime

So what of the future? Will criminals realise that the NHS is an easy mark and target it with ransomware attacks that demand payments of thousands of pounds? Perhaps. But the situation may change in a year’s time. Because this time next year new data protection rules, the GDPR, will be in force. And the GDPR allows regulators (in the case of the UK it is the Information Commissioner) to levy fines of up to 4% of global turnover or Euros20 million on organisations that allow personal data to be leaked.

This could be a new opportunity for criminals. Rather than encrypting files, they may search for personal data and steal it, threatening to publish it on the web unless huge ransoms are paid.

If that happens then we will have to hope that Amber Rudd’s confidence that “patient data was not at risk” still holds true.