There’s a striking new statistic about the level of ransomware attacks on the NHS that deserves some attention. According to recently published findings from research firm Comparitech, only six successful attacks have been reported since 2017, the year the WannaCry ransomware virus hit the health service.
What makes this significant is that, according to Freedom of Information requests, the NHS has suffered 209 successful ransomware attacks since 2014. There is a caveat to this, of the 254 Trusts Comparitech surveyed, 20% refused or failed to respond. However, the drop is a huge improvement on pre-WannaCry numbers.
So, what has the NHS been doing since 2017 to reduce the risk and impact of a future cyber-attack – and what can other organisations learn from their stance against cyber crime?
We highlight some of their cyber security initiatives and why they are important.
The NHS response, post WannaCry
At the time of the WannaCry attack, NHS cyber security was under fire with many commentators pointing to the unsupported and ancient Windows XP operating system and the supported but unpatched Microsoft Windows 7 used by many of the affected Trusts. It was an attack waiting to happen.
Following WannaCry, there was an internal review which found that none of the 80 NHS organisations affected by WannaCry had applied the Microsoft update patch21. This action had been advised by NHS Digital’s bulletin following the receipt of intelligence of a specific threat from BT on 24 April 2017.
Since WannaCry, NHS Digital has implemented a system through which all NHS Trusts have to report within 48 hours on action they have taken on high severity alerts (i.e. implementing security patches and updating their anti-virus software). 100% of NHS trusts were signed up by January 2018.
Why this matters: AntiVirus is great at stopping the known malware threats but to be properly protected you need to update your system software as updates are provided by the provider. Such security patches address vulnerabilities in the software cyber criminals might use to gain unauthorised access to your device and your data.
Upgrading Firewalls and Network Infrastructure
Following WannaCry, the NHS has spent £21m to upgrade firewalls and network infrastructure, and support the transition from outdated hardware and operating systems to improve resilience.
In addition, they are building resilience by upgrading firewalls to secure networks, supporting use of software to fix security vulnerabilities or upgrades for software applications and technologies by replacing obsolete PCs, and introducing device security tools, and Improving anti-virus protection.
Why this matters: By definition a firewall allows data into your organisation and this can be turned against you if the firewall configuration is weak. To be more secure you should also consider a proxy device and make sure all your data goes through it before it lands on your laptops and desktops
Moving from unsupported systems
NHS Digital issued guidance to help local organisations to move off unsupported systems and to minimise the risk of unsupported systems where they are in use. Microsoft consultancy has been used to help embed services, improve cyber-security resilience and prepare organisations to move to Windows 10. Over half a million NHS devices have now been migrated.
Why this matters: As the term suggests, if a system is no longer receiving any support from its supplier, it’s not receiving any security updates. This isn’t just an issue for IT, older mobiles are can also act as an open door if they are no longer supported and happen to contain access to valuable organisational data.
The National Data Guardian’s (NDG) 10 Data Security Standards
The NHS set out ten data security standards to address people, process and technology issues. Following advice from National Cyber Security Centre, this was designed to drive more cyber-conscious behaviours aimed at encouraging organisations to do the right things first and split out mandatory and best practice activities.
The full 10 standards include:
Data Security Standard 6: Cyber-attacks against services are identified and resisted and NHS Digital Data Security Centre security advice is responded to. Action is taken immediately following a data breach or a near miss, with a report made to senior management within 12 hours of detection.
Data Security Standard 7: A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.
Data Security Standard 8: No unsupported operating systems, software or internet browsers are used within the IT estate.
Why this matters: Cyber security standards set out a range of measures that, if adhered to, will reduce the chance of a successful cyber attack. They are the building blocks to improve your cyber resilience and compliance – and they also send out a powerful message to your customers and suppliers that your organisation takes cyber security seriously.
As well as the 10 Data Security Standards adopted by the NHS, the National Cyber Security Centre (NCSC) offers their highly respected “10 steps to cyber security guidance” designed to help organisations protect themselves in cyberspace.
Ascentor has also covered some of the most popular cyber security standards in our blog article of the same name.
A clearer view of cyber security maturity
The NHS has developed an online Data Security and Protection Toolkit (DSPT) to measure performance against the 10 Data Security Standards. The DSPT is specifically tailored for different types and sizes of organisation and helps them understand their data and cyber security risks.
Over 27,000 organisations have since completed the DSPT, with 97% of organisations meeting the 10 Data Security Standards. Large organisations, including NHS Trusts, assessed as “Standards Not Met” must submit an improvement plan to NHS Digital.
Analysis of the complete first set of DSPT data has provided an overall picture of progress made by NHS organisations and highlighted areas where challenges remain, for example with training, IT protection and continuity planning. It also provided an in-depth picture of Trusts – individual cyber resilience and maturity, facilitating a more tailored approach to helping them improve.
Why this matters: Awareness of cyber maturity helps an organisation assess its effectiveness at achieving a particular goal. In particular, they pinpoint where practices are lacking and also identify those that are successfully embedded and can reliably and sustainably produce the required outcomes. It’s also about quality management — the ability of an organisation to identify lessons when things go wrong and absorb the lessons into their practices to make improvements.
Ascentor’s recent blog looks at cyber maturity and how a maturity model strengthens cyber security.
Leadership responsibility and training
The NHS 2017/18 Data Security and Protection Requirements made it clear that there must be a named senior executive responsible for data and cyber security in every health and care organisation. Ideally, this person will also be the Senior Information Risk Owner (SIRO), and, where applicable, a member of the organisation’s Board.
In addition, training for Board and Senior Information Risk Owners (SIROs) has been developed so that key individuals within an organisation understand the importance and nature of cyber security and risk.
Since its launch in November 2018, over 170 boards have received the training with 61 organisations availing of SIRO training after its launch in July 2019.
Why this matters: While cyber security is everyone’s responsibility, successfully embedding secure practices is far more likely to happen with sponsorship at a senior level.
The latest initiatives
As part of their “Securing cyber resilience in health and care” progress update, published in November 2019, the NHS reported a number of additional cyber security initiatives. These include:
Greater supply chain cyber security
As measures taken to improve cyber security inside the NHS have taken effect, the more attractive the supply chain becomes to bad actors. The reality is that the cyber threat shifts to look for another weak entry point.
Just launched in January 2020, Edge4Health is a consumer-style digital procurement hub designed to cut costs, improve visibility and data management. As part of this, NHS suppliers can check and improve their cyber security and discover the various threats and vulnerabilities they are subject to, and how to mitigate them.
Information will also be made available to NHS organisations buying through the platform, through a buying community cyber risk rating, to help decision-makers take better account of security considerations when buying services.
Why this matters: The supply chain is often the weakest link in cyber security. There are often so many suppliers in the chain that maintaining robust security further down the chain is difficult to control. The NHS has £9bn of annual spend and one of the longest and most complex supply chains in the world. Effective supply chain cyber security is about ensuring that an organisation’s critical information and business systems are not compromised or disrupted by any third-party suppliers.
Introducing Cyber Essentials
NHS Digital have worked with National Cyber Security Centre (NCSC), to include the requirements of Cyber Essentials into the DSPT toolkit.
Cyber Essentials, managed by the NCSC, is a scheme promoting the implementation of technical controls aimed at protecting organisations of all sizes against a range of the most common cyber attacks. All NHS Trusts except one have now had an independent on-site CE+ assessment and submitted action plans covering what they need to do to improve their resilience.
For 2020/21, NHS Trusts will be expected to meet the additional requirements in the DSPT, which provide equivalence to the Cyber Essentials Plus (CE+) standard when combined with NHS Digital’s onsite assessments.
Why this matters: Having Cyber Essentials certification not only protects your organisation against 80% of cyber-attacks, it demonstrates to your customers and supply chain that you have considered security controls and are working in a safe and secure environment.
If you’d like to know more about Cyber Essentials, Ascentor is an accredited certification body, licensed by the IASME Consortium. We’ve written an article based on our 100% success rate in helping organisations pass Cyber Essentials Plus (CE+). We also offer a supported service to help organisations attain their Cyber Essentials certification.
The WannaCry virus didn’t set out to target the NHS, but it was certainly the most high-profile organisation to be affected by it. The sharp decrease in NHS ransomware attacks since 2017 would suggest that the money and effort focused on improving IT systems and cybersecurity knowledge within the NHS is working.
No initiative would work in isolation, what the NHS has demonstrated is a broad approach covering systems, standards, people, technology, measurement, the supply chain and the support of senior leadership. They have successfully re-built their cyber security strategy and are now far more resilient as an organisation going forwards.