Image: Getty
The National Health Service was left vulnerable to the WannaCry ransomware attack because, despite warnings to trusts to patch systems, many local organisations had failed to do so.
A National Audit Investigation into May's global cyber attack - of which took down the IT systems at many NHS organisations - has found that the impact of WannaCry could have been prevented if basic security best practice had been applied.
According to the NAO's report, NHS Digital - the data and IT services body of the NHS - issued critical alerts throughout March and April warning organisations to patch their systems in order to prevent an event like WannaCry from happening.
In April, Microsoft released an emergency patch to protect against EternalBlue, a leaked NSA hacking tool which leverages a version of Windows' Server Message Block (SMB) networking protocol to spread itself across an infected network using wormlike capabilities.
It was this exploit which powered WannaCry and led to its quick proliferation onto networks around the world, including the NHS . An NHS spokesperson told ZDNet that the critical alerts to patch systems were issued in response to Microsoft updating software to protect against the exploit.
Previous advice issued in 2014 by the Department of Health and the Cabinet Office warned hospitals and GP surgeries it was essential they had "robust plans" to migrate away from old software, such as Windows XP by April 2015. Despite this, the older Microsoft operating system remained common within the NHS.
In total, a third of NHS Trusts in England were disrupted by the WannaCry attack - 81 of the 236 trusts across England were affected by the attack and 595 GP practices were also affected. None paid the ransom.
Locked out of systems by the file-encrypting malware, many NHS bodies had to resort to pen and paper and thousands of operations and appointments were cancelled.
"No harm was caused to patients and there were no incidents of patient data being compromised or stolen. Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum." said Keith McNeil, Chief Clinical Information Officer for Health and Care.
In some instances, it took weeks for services to fully recover and the NAO report remarks that the NHS still doesn't know the full extent of the disruption - which could've been much worse if cyber security researcher Marcus Hutchins hadn't discovered a WannaCry kill switch, which prevented the ransomware from spreading to more systems.
See also: Ransomware: An executive guide to one of the biggest menaces on the web
While the Department of Health is said to have developed a plan for responding to a large scale cyber attack, it hadn't been tested at local level, leading to confusion about who should lead the response to WannaCry.
In addition, email systems being taken down as a result of the attack meant those infected by the ransomware had problems communicating with national NHS bodies - eventually leading the communications being made via mobile devices and WhatsApp.
Ultimately, the report concludes that all organisations infected by WannaCry shared the same vulnerability and "simple action" could've been taken to prevent it by ensuring the correct patches and updates were in place. The NAO says there are lessons the NHS must learn from the incident.
"The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice," said Amyas Morse, head of the National Audit Office.
"There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
The NHS says it will learn from the incident and is taking action to ensure a more effective response can be taken in the event of a similar attack in future. Response plans are said to have been sharpened and £21 million in funding has been made available to to increase the cyber resilience of urgent and emergency care centres. "Essential action" has also been taken to secure local firewalls.
"We welcome the outcome of this investigation which highlights some of the challenges we faced during the WannaCry incident and in our role to alert NHS organisations to known cyber security threats and advise them of appropriate steps to take to minimise risks." said Dan Taylor NHS Digital's Head of Security
"We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations."
READ MORE ON CYBER CRIME
from Latest Topic for ZDNet in... http://ift.tt/2xs9Yj4
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.