A cyber attack of unprecedented scale inactivated more than 230,000 computers in 150 countries on Friday 12 May. A number of large companies across the world were affected, including Telefónica in Spain, the National Health Service (NHS) in the UK, FedEx, and Deutsche Bahn.
Credit: everything possible / Shutterstock.com
The 'Wannacry' ransomeware, used in this attack can be traced back to the US National Security Agency (NSA). The software was included in the collection of cyber-attack tools leaked by hacking group the Shadow Brokers in April. It was spread through phishing emails and computer worms on unprotected systems and inactivated infected computers demanding ransom payments in order for the users to regain access to their files.
Jalal Bouhdada, Founder and Principal ICS Security Consultant at Applied Risk commented:
Like many closed systems, medical systems were originally designed with no security in mind. These devices traditionally served one purpose - to be used internally at hospitals or UK medical centres. In 2016, ransomware attacks increased by almost 17,000 per cent from the year before. Ransomware is a relatively easy method of infecting small and large scale environments, leveraging an organisation’s weakest security link – its people."
"As with many modern innovations, the healthcare sector continues to apply a traditional approach to device security, treating it as an afterthought. The risks of unsecured medical devices are clear. Privacy becomes an issue, with patient details potentially accessible. An even greater risk comes from the implications of vital medical devices, such as cardiac defibrillators or even pacemakers, coming under attack and removed from use."
"The days in which companies assumed closed systems were protected are over. Modern attackers often have access to a wide range of technologies and their documentation, allowing them to become highly knowledgeable prior to any serious attack."
Particularly concerning is the inactivation of the systems of one in five NHS Trusts across the UK. Barts Health Trust in London, the largest NHS trust, was affected and their computer system remains unusable. This has led to the cancellation of many operations scheduled for today since patient records, including scan and test results, cannot be accessed.
BMA council chair Dr Mark Porter remarked “This cyber-attack on NHS information systems is extremely worrying for patients and the doctors treating them...NHS staff are working extremely hard to provide the best possible patient care, and we hope NHS Digital are able to resolve these problems as soon as possible”.
The NHS was particularly vulnerable since many trusts still use Windows XP, as it is needed to collect data from older medical instruments, such as MRI scanners. This operating system is no longer supported by Microsoft, and so does not routinely receive security updates designed to protect against such attacks. Due to the scale of this attack, Windows issued a security patch for XP systems over the weekend to prevent further spread.
I’m sure we’ve all seen Windows XP PC’s in hospitals around the country. Since the PCs are no longer patched by Microsoft, it’s highly likely these devices are unprotected and potentially littered with vulnerabilities that could be exploited by a cyber criminal. With stretched budgets, the NHS is constantly under scrutiny to maximise their investments and this can often mean a deprioritization of security protection and IT support, leaving them completely exposed and at the mercy of a large ransomware attack. As someone who has worked with the healthcare industry for more than 10 years – I know that the NHS IT infrastructure has a number of vulnerabilities plagued with legacy applications that could not be patched and were relatively under governed by the trusts. While the UK government did make steps to improve IT security by issuing the NHS Information Governance toolkit, it mostly consisted of a bundle of high-level legal requirements and lacked clear technical direction or audit management. This meant that NHS trusts have inconsistent security at best, or at worst, are vulnerable to lots of different attacks."
Andrew Barratt, managing principal for Coalfire (a third party cybersecurity risk and regulation advisor to the healthcare sector)
NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organizations and ensure patient safety is protected. The NHS are adopting tried and tested contingency plans to keep the NHS open for business, however NHS patients in affected areas will experience disruption and delays.
Dr Anne Rainsberry, NHS Incident Director, said:
We’d like to reassure patients that if they need the NHS and it’s an emergency that they should visit A&E or access emergency services in the same way as they normally would and staff will ensure they get the care they need. More widely we ask people to use the NHS wisely while we deal with this major incident which is still ongoing".
Until the systems are fully restored, patients are being urged to consider carefully whether a visit to accident and emergency or their general practitioner is essential today in order to maximize the capacity for handling serious or life threatening cases. Patients with existing appointments have been asked to bring with them any medications, letters or paperwork they have in their possession and warned that they may be asked to reschedule if it is not possible to access the information required.
- BMA. Statement 12 May. Available: https://www.bma.org.uk/news/media-centre/press-releases/2017/may/bma-responds-to-nhs-cyber-attack
- NHS. Statement 12 May. Available: https://www.england.nhs.uk/2017/05/statement-on-reported-nhs-cyber-attack/
- NHS Digital. Statement 14 May. Available at: https://www.digital.nhs.uk/article/1494/UPDATE-Cyber-security-incident-14-May-