{"id":8382,"date":"2019-05-24T09:01:32","date_gmt":"2019-05-24T09:01:32","guid":{"rendered":"http:\/\/www.firstlinepractitioners.com\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/"},"modified":"2019-10-03T12:09:03","modified_gmt":"2019-10-03T12:09:03","slug":"wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action","status":"publish","type":"post","link":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/","title":{"rendered":"WannaCry report shows NHS chiefs knew of security danger, but management took no action"},"content":{"rendered":"<p><a href=\"https:\/\/theconversation.com\/profiles\/eerke-boiten-104676\">Eerke Boiten<\/a>, <em><a href=\"http:\/\/theconversation.com\/institutions\/de-montfort-university-1254\">De Montfort University<\/a><\/em> and <a href=\"https:\/\/theconversation.com\/profiles\/david-wall-98233\">David Wall<\/a>, <em><a href=\"http:\/\/theconversation.com\/institutions\/university-of-leeds-1122\">University of Leeds<\/a><\/em><\/p>\n<p>A report from the parliamentary <a href=\"https:\/\/www.nao.org.uk\/report\/investigation-wannacry-cyber-attack-and-the-nhs\/\">National Audit Office<\/a> into the WannaCry ransomware attack that brought down significant parts of Britain\u2019s National Health Service in May 2017 has predictably been reported as blaming <a href=\"https:\/\/www.nhs.uk\/NHSEngland\/thenhs\/about\/Pages\/authoritiesandtrusts.aspx\">NHS trusts<\/a> and smaller organisations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place.<\/p>\n<p>But the central NHS IT organisation, <a href=\"https:\/\/digital.nhs.uk\/\">NHS Digital<\/a>, provided security alerts and the correct patches that would have protected vulnerable systems well before WannaCry hit. This is not a cybersecurity failure in the practicalities, but a failure of cybersecurity management at the top level.<\/p>\n<p>Despite the extensive news coverage it received, WannaCry was a major wake-up call for the NHS rather than a downright disaster. It <a href=\"http:\/\/www.npr.org\/sections\/alltechconsidered\/2017\/05\/16\/528570788\/from-kill-switch-to-bitcoin-wannacry-showing-signs-of-amateur-flaws\">wasn\u2019t a sophisticated attack<\/a>. But any attack based on an actual <a href=\"https:\/\/www.fireeye.com\/current-threats\/what-is-a-zero-day-exploit.html\">zero-day exploit<\/a> \u2013 a software flaw creating a security hole that is not yet known to the manufacturer or has not been made public, and so no defence or patch exists to prevent the attack succeeding &#8211; could hit the NHS much harder than WannaCry did.<\/p>\n<p>Given the lessons learned discussed in the NAO report, hopefully the NHS will be better prepared next time. And as there will definitely be a next time, the NHS had better have learned its lessons, because the implications of not doing so could be much greater.<\/p>\n<h2>Failing to plan is planning to fail<\/h2>\n<p>As it happened, much of the damage caused by WannaCry &#8211; including many of the more than 19,000 missed appointments \u2013 did not relate directly to the attack. The NAO report makes it clear that the NHS as a whole lacked a proper response to a national cybersecurity incident. The business continuity plan had not been tested against such a serious attack. Although <a href=\"https:\/\/www.nursingtimes.net\/opinion\/what-happened-when-the-nhs-was-affected-by-the-wannacry-ransomware-attack\/7020962.article\">only a relatively small number<\/a> of NHS organisations were actually infected by WannaCry, other parts of the NHS shut down their systems as a precaution to prevent WannaCry spreading until they were sure what to do. Email systems were switched off without first establishing alternatives, leading to improvisation by telephone and WhatsApp.<\/p>\n<p>More broadly, it has become clear that decentralisation has left NHS cybersecurity very exposed when under attack. NHS Digital provides alerts and patches, of course, but there appears to be no mechanism for anyone to check, let alone enforce, that they are implemented. In any case, security alerts run a risk of being drowned in the stream of \u201ccry wolf\u201d messages from the cybersecurity industry. The NHS trust boards take little ownership of cybersecurity matters, and are not being held accountable because the <a href=\"http:\/\/www.cqc.org.uk\/\">Care Quality Commission<\/a>, the NHS regulator, has not included it in their inspections.<\/p>\n<p>The official reaction from NHS Digital to the report was <a href=\"https:\/\/digital.nhs.uk\/article\/7908\/NHS-Digital-responds-to-report-on-WannaCry-cyber-incident\">brief<\/a> \u2013 no wonder, as it emerges from the affair having performed what was expected of it. NHS Digital offered on-site cybersecurity assessments at 88 NHS trusts in the years before the WannaCry incident, failing all of them. But without powers of enforcement, it was unable to press for the changes and preventative measures required to improve security. NHS Digital\u2019s own review of the WannaCry incident (as mentioned in the NAO report) had established that most trusts did not even think that cybersecurity was a risk to patient outcomes \u2013 a naive and dangerous view in an organisation heavily dependent on integrated digital systems.<\/p>\n<h2>No one left holding the reins<\/h2>\n<p>The NAO report acknowledges that NHS trusts could not be blamed for some of the missing software updates. Some medical instruments such as MRI scanners are controlled by software written for old and unsupported versions of Windows, for example, or in some cases by companies that have since gone out of business. Decoupling these machines from the network would solve the most immediate cybersecurity problems, but at the expense of complicating their use and increasing the chance of human error. Neither the NAO nor NHS Digital appear to have a solution yet.<\/p>\n<p>For small NHS organisations, such as individual GP practices, there is likely to be an issue of resources. Who will have the time, and at what point in their already full working day, to ensure computers are updated? Should the many NHS receptionists wait for their Windows updates to complete at the start of their day, or help their patients?<\/p>\n<p>If the lack of resources doesn\u2019t already point at government underfunding of the NHS, the report certainly points to failures at the national level, to <a href=\"https:\/\/www.england.nhs.uk\/\">NHS England<\/a> and the <a href=\"https:\/\/www.gov.uk\/government\/organisations\/department-of-health\">Department of Health<\/a>. Provided with cybersecurity recommendations by both <a href=\"https:\/\/www.gov.uk\/government\/publications\/review-of-data-security-consent-and-opt-outs\">the National Data Guardian<\/a> and the <a href=\"http:\/\/www.cqc.org.uk\/publications\/themed-work\/safe-data-safe-care\">Care Quality Commission<\/a> by July 2016, <a href=\"https:\/\/www.gov.uk\/government\/consultations\/new-data-security-standards-for-health-and-social-care\">neither body responded until July 2017<\/a>, months after WannaCry. The urgent need for effective, national-level cybersecurity incident planning in such a decentralised system as the NHS must be clear by now.<\/p>\n<p>The NHS was spared the full impact of a cyber-attack this time, mainly because the technical solution \u2013 a \u201ckill-switch\u201d in the ransomware \u2013 was quickly discovered by <a href=\"https:\/\/www.malwaretech.com\/2017\/05\/how-to-accidentally-stop-a-global-cyber-attacks.html\">MalwareTech researcher<\/a> <a href=\"http:\/\/uk.businessinsider.com\/marcus-hutchins-is-the-22-year-old-who-saved-the-world-from-a-malware-virus-2017-5?r=US&amp;IR=T\">Marcus Hutchins<\/a>. Next time the NHS might not be so lucky, though new research has been commissioned to this end. Projects such as EPSRC <a href=\"http:\/\/gow.epsrc.ac.uk\/NGBOViewGrant.aspx?GrantRef=EP\/P011772\/1\">EMPHASIS<\/a> will look at not only the technical aspects of ransomware attacks, but also their economic, psychological and social aspects to obtain a more rounded understanding of Ransomware.<\/p>\n<p>Not only will this interdisciplinary approach increase our understanding of ransomware attacks, but it will also help us to quickly ascertain whether or not the attack is socially engineered \u2013 triggered by users opening attachments or clicking on infected web sites \u2013 or triggered through technological means such as by a worm, as was the case with WannaCry and <a href=\"https:\/\/securelist.com\/expetrpetyanotpetya-is-a-wiper-not-ransomware\/78902\/\">not-Petya<\/a> \u2013 the latter seeking to <a href=\"https:\/\/securelist.com\/destructive-malware-five-wipers-in-the-spotlight\/58194\/\">disrupt and destructively wipe data<\/a> without even attempting to extort money. It\u2019s also important to understand the new means of payments via <a href=\"https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2017\/08\/03\/how-cryptocurrencies-are-fueling-ransomware-attacks-and-other-cybercrimes\/#8b9ef543c152\">cryptocurrencies such as bitcoin<\/a>, because <a href=\"https:\/\/theconversation.com\/cryptolocker-has-you-between-a-back-up-and-a-hard-place-20687\">ransomware<\/a> is usually crime of extortion. With a better understanding of our attackers and their motivations we will be better placed to defend against them.<!-- Below is The Conversation's page counter tag. Please DO NOT REMOVE. --><img decoding=\"async\" loading=\"lazy\" style=\"border: none !important; box-shadow: none !important; margin: 0 !important; max-height: 1px !important; max-width: 1px !important; min-height: 1px !important; min-width: 1px !important; opacity: 0 !important; outline: none !important; padding: 0 !important; text-shadow: none !important;\" src=\"https:\/\/counter.theconversation.com\/content\/86501\/count.gif?distributor=republish-lightbox-basic\" alt=\"The Conversation\" width=\"1\" height=\"1\" \/><!-- End of code. If you don't see any code above, please get new code from the Advanced tab after you click the republish button. The page counter does not collect any personal data. More info: http:\/\/theconversation.com\/republishing-guidelines --><\/p>\n<p><a href=\"https:\/\/theconversation.com\/profiles\/eerke-boiten-104676\">Eerke Boiten<\/a>, Professor of Cyber Security, School of Computer Science and Informatics, <em><a href=\"http:\/\/theconversation.com\/institutions\/de-montfort-university-1254\">De Montfort University<\/a><\/em> and <a href=\"https:\/\/theconversation.com\/profiles\/david-wall-98233\">David Wall<\/a>, Professor of Criminology, <em><a href=\"http:\/\/theconversation.com\/institutions\/university-of-leeds-1122\">University of Leeds<\/a><\/em><\/p>\n<p>This article is republished from <a href=\"http:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a href=\"https:\/\/theconversation.com\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action-86501\">original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A report from the parliamentary National Audit Office into the WannaCry ransomware attack that brought down significant parts of Britain\u2019s National Health Service in May 2017 has predictably been reported as blaming NHS trusts and smaller organisations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place.<\/p>\n","protected":false},"author":9,"featured_media":7811,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[147,197],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS\" \/>\n<meta property=\"og:description\" content=\"A report from the parliamentary National Audit Office into the WannaCry ransomware attack that brought down significant parts of Britain\u2019s National Health Service in May 2017 has predictably been reported as blaming NHS trusts and smaller organisations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/\" \/>\n<meta property=\"og:site_name\" content=\"FIRST-LINE PRACTITIONERS\" \/>\n<meta property=\"article:published_time\" content=\"2019-05-24T09:01:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-10-03T12:09:03+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.firstlinepractitioners.com\/wp-content\/uploads\/2019\/05\/shutterstock_1073338121.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1229\" \/>\n\t<meta property=\"og:image:height\" content=\"691\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Florian\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Napsal(a)\" \/>\n\t<meta name=\"twitter:data1\" content=\"Florian\" \/>\n\t<meta name=\"twitter:label2\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/\",\"url\":\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/\",\"name\":\"WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS\",\"isPartOf\":{\"@id\":\"https:\/\/www.firstlinepractitioners.com\/el\/#website\"},\"datePublished\":\"2019-05-24T09:01:32+00:00\",\"dateModified\":\"2019-10-03T12:09:03+00:00\",\"author\":{\"@id\":\"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/b34843a12defd8503efa62cbb39edbd3\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.firstlinepractitioners.com\/cs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WannaCry report shows NHS chiefs knew of security danger, but management took no action\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.firstlinepractitioners.com\/el\/#website\",\"url\":\"https:\/\/www.firstlinepractitioners.com\/el\/\",\"name\":\"FIRST-LINE PRACTITIONERS\",\"description\":\"Curricula - Knowledge - Navigation\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.firstlinepractitioners.com\/el\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"cs\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/b34843a12defd8503efa62cbb39edbd3\",\"name\":\"Florian\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"cs\",\"@id\":\"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5193b32cfd0b1df3bedd57dc497af30e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5193b32cfd0b1df3bedd57dc497af30e?s=96&d=mm&r=g\",\"caption\":\"Florian\"},\"url\":\"https:\/\/www.firstlinepractitioners.com\/cs\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/","og_locale":"cs_CZ","og_type":"article","og_title":"WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS","og_description":"A report from the parliamentary National Audit Office into the WannaCry ransomware attack that brought down significant parts of Britain\u2019s National Health Service in May 2017 has predictably been reported as blaming NHS trusts and smaller organisations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place.","og_url":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/","og_site_name":"FIRST-LINE PRACTITIONERS","article_published_time":"2019-05-24T09:01:32+00:00","article_modified_time":"2019-10-03T12:09:03+00:00","og_image":[{"width":1229,"height":691,"url":"https:\/\/www.firstlinepractitioners.com\/wp-content\/uploads\/2019\/05\/shutterstock_1073338121.jpg","type":"image\/jpeg"}],"author":"Florian","twitter_card":"summary_large_image","twitter_misc":{"Napsal(a)":"Florian","Odhadovan\u00e1 doba \u010dten\u00ed":"5 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/","url":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/","name":"WannaCry report shows NHS chiefs knew of security danger, but management took no action - FIRST-LINE PRACTITIONERS","isPartOf":{"@id":"https:\/\/www.firstlinepractitioners.com\/el\/#website"},"datePublished":"2019-05-24T09:01:32+00:00","dateModified":"2019-10-03T12:09:03+00:00","author":{"@id":"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/b34843a12defd8503efa62cbb39edbd3"},"breadcrumb":{"@id":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.firstlinepractitioners.com\/cs\/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.firstlinepractitioners.com\/cs\/"},{"@type":"ListItem","position":2,"name":"WannaCry report shows NHS chiefs knew of security danger, but management took no action"}]},{"@type":"WebSite","@id":"https:\/\/www.firstlinepractitioners.com\/el\/#website","url":"https:\/\/www.firstlinepractitioners.com\/el\/","name":"FIRST-LINE PRACTITIONERS","description":"Curricula - Knowledge - Navigation","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.firstlinepractitioners.com\/el\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"cs"},{"@type":"Person","@id":"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/b34843a12defd8503efa62cbb39edbd3","name":"Florian","image":{"@type":"ImageObject","inLanguage":"cs","@id":"https:\/\/www.firstlinepractitioners.com\/el\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/5193b32cfd0b1df3bedd57dc497af30e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5193b32cfd0b1df3bedd57dc497af30e?s=96&d=mm&r=g","caption":"Florian"},"url":"https:\/\/www.firstlinepractitioners.com\/cs\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/posts\/8382"}],"collection":[{"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/comments?post=8382"}],"version-history":[{"count":1,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/posts\/8382\/revisions"}],"predecessor-version":[{"id":8392,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/posts\/8382\/revisions\/8392"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/media\/7811"}],"wp:attachment":[{"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/media?parent=8382"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/categories?post=8382"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.firstlinepractitioners.com\/cs\/wp-json\/wp\/v2\/tags?post=8382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}