What Can Be Learnt from the WannaCry Ransomware Attack on the NHS?
On Friday 12th May, a cyber-attack hit companies in over 150 countries, bringing many services to a standstill. One of the worst affected organisations was the NHS, with over 19 organisations facing some form of disruption. The worst hit trusts were even forced to cancel appointments after being left unable to access patient records.
Over the coming weeks, there will no doubt be countless analysts and IT experts reflecting on the events and how it could have been avoided. However, in this article I want to highlight a few of the key lessons that should be learnt going forward and to provide some contextual insight into the heart of the issue.
How Exactly Did Wanna Cry Infiltrate the NHS?
At present, there are a number of theories regarding exactly how the virus entered the NHS. Usually, such viruses enter organisations through an email attachment which begins infecting a machine as soon as it has been downloaded.
What appears to make Wanna Cry more sophisticated than other viruses is that it is able to replicate across devices on a network without the need to be explicitly opened on every device. The exact vulnerability that the malware uses is known as EternalBlue — an exploit reportedly developed by the NSA and leaked by Shadow Brokers in April.
Although Microsoft did patch the vulnerability in March, it seems as though the patch was not applied to the affected machines. And here lies the crux of the issue, the fundamental question that must be answered. Why was a major flaw left unpatched?
The Ageing Healthcare Infrastructure
An article by Jon Hoeksma posted on Digital Health Intelligence suggests the primary cause is directly related to underinvestment in NHS IT. A surprising number of trusts are relying on an aging infrastructure, with little support from technology firms, leading to increased vulnerability.
When IT budgets are low in such environments, it can be hard to prioritise prevention & upgrading old equipment over the purchase of new systems. This, coupled with a decentralised model of IT management is creating silos between (and within) trusts that leave systems open to exploitation.
For example, a 2016 report from Accenture found a 60% adoption of healthcare IT in primary care, but only a 22% adoption rate in secondary care. The same report also found that only 5% of doctors in England were being offered any incentive to co-ordinate care with other organisations. Without any central function to manage such an important system — it is highly likely that the costs of maintaining current systems alone are higher than those of implementing a secure, centralised and managed alternative.
Improving NHS Software Provision
It is not only the NHS itself that is underfunded, but often the technologies and partners it relies on to deliver services. NHS supplier contracts can easily last up to 10 years — in which time the technological landscape can change drastically.
10 years ago, Windows Vista was the most recent OS released by Microsoft. However, its infamous instability meant many organisations still preferred to rely on Microsoft’s earlier OS: XP. Of course, since then Microsoft have been phasing out support for Windows XP — the last planned public patch was released in April 2014 and the UK government’s support contract for the OS ended in 2015.
Yet despite this, a number of NHS applications and software installations are only able to run on XP. There are a number of reasons for this, but most boil down to the cost of developing new versions of software that will run on a new OS.
Software providers must take responsibility for not providing continuous support for healthcare tech.
To some extent, this can be described as a vicious cycle. Software firms have no incentive to develop new versions as the NHS has not upgraded, but the NHS is (in some cases) unable to upgrade as it would cause the software — which can be vital — to stop working.
What Can be Done?
There is no quick fix or easy answer to the situation. There are, however, a number of people within the healthcare community that hope that this situation will serve as a wake up call and prompt investment in NHS IT infrastructure. Investment alone, however, is not the answer. This investment needs to be focused, targeted towards the areas which need it most. And perhaps most importantly of all, it needs to be centralised.
But technology and software providers to the NHS must also take responsibility and provide ongoing support and upgrades to critical software.