On Friday afternoon, 12 May 2017, the WannaCrypt ransomware virus was released, it spread rapidly and encrypted computer data of 48 Trusts in England, 13 NHS bodies in Scotland as well as dozens of other organisations worldwide. It attacked unpatched Windows computer systems which, in all likelihood, infiltrated via email and spread across networks. At this early stage, the motivation and author of the cyberattack has not been identified but it is almost certain that the malicious software used was a tool known as “Eternalblue”, stolen from the USA’s National Security Agency (NSA) and released by a group known as the “Shadow Brokers”.
Thankfully no deaths have been attributed to it but, as a result, large numbers of computers in affected organisations are being wiped and rebuilt. It has left a costly headache for NHS’s IT departments and their budgets with some organisation left to decide whether to pay a ransom per computer or accept the data has gone.
A “feature” of the WannaCrypt ransomware encryption is a “back door” tool – also stolen from the NSA – which means that organisations affected could have been exposed to a much wider set of risks including theft of personal information, business critical data and intellectual property. The UK government has stressed that no patient records have been affected, although the full extent of damage done by the attack is still to come out.
It also shouldn’t be underestimated the “soft” impact of this attack on frontline staff. Aside from the inconvenience to clinical staff, the hard won culture changes and growing confidence in electronic systems can be eroded overnight through an incident such as this. The consequence is that future digital transformation projects become much harder to get initial staff participation. It can often be the intangible and unforeseen that end up costing a lot more than the initial impact radius.
Hate to say I told you so
Microsoft’s Brad Smith, President and Chief Legal Officer, stated that governments of the world should treat this attack as a wake-up call highlighting the fact that on “March 14, Microsoft had released a security update to patch this vulnerability and protect [its] customers. While this protected newer Windows systems and computers” with Windows Updates “many computers remained unpatched globally”.
However, due to the seriousness of this attack, Microsoft have taken the “highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003”. But this shouldn’t be taken as a sign that they’ll do this again in the future.
When the fires die down
Once all the repairs and fixes have been put in place, IT leaders need to assess what can be done to stop such an event happening again such as:
- Migrate from old operating systems
- Ensure all infrastructure is supported and updated
- Back-ups and Disaster Recovery plans are fit for purpose and support the recovery of large volumes of data in an acceptable timeframe
- COO’s, Medical Directors and Senior Nurses need to be fully briefed on realistic IT recovery times
- Review risk management systems – typically based on Cyber Essentials or ISO 27001 – to ensure that appropriate Cyber Security measures are in place
- An honest and frank assessment of clinical impact and knock on effects to the complex regional health eco system
When considering what security strategy needs to be implemented to ensure protection from another attack, it is worth bearing in mind that GDPR become law in May 2018 and it may be worth bring both activities together, rather than revisiting later on.
Window 7 and Windows 10
Supported operating systems including Windows 7, Windows 10, SQL Server 2012 and 2016 are less vulnerable to threats. Windows 7 support ends on 14 January 2020 while Windows 10 has features that require updates a few times a year. The amount of functionality and security software the user has is dependent on their Windows 10 Enterprise package.
Microsoft’s UK datacentre, online since October 2016, provide UK sovereignty for NHS organisations offering a viable alternative to on-premise servers or as a hybrid solution that works in tandem with existing infrastructure.
Using Microsoft cloud technologies, such as Azure and Office 365, reduces the amount of infrastructure organisations have to manage and patch themselves. This simplifies the security challenges for organisations, especially those with complex and out of date estates. Furthermore, it allows IT teams to concentrate efforts elsewhere.
Azure Backup protects data on-premises and online, while Site Recovery allows customers to replicate on-premise physical servers in the cloud – so if an organisation’s primary servers fail, they automatically switch to a secondary site to keep working. Read more.
Many Cyber Security firms that have Endpoint Protection have solutions that cover an array of situations. Most offer a platform that gives a single place from which to manage, monitor and defend your systems and networks.
A user can often be a weak point in any organisation’s security system. This can range from falling victim to a phishing email, using unauthorised devices and software, or connecting to an unsecured Wi-Fi network. This is why educating all staff in security best practices is essential. Sophos have developed an Anti-phishing toolkit that is free to download and teaches your users how to spot phishing emails.
As with other areas, there is an overlap with your GDPR projects and planning. User awareness and education is a core requirement of GDPR compliance. Organisations can save time and money by combining security and privacy related user education.
IT systems and networks cannot take an indefinite number of sticking plaster fixes and semi-permanent workarounds. The WannaCrypt hit has highlighted this but this doesn’t mean that the purse strings will be released and a spending frenzy on IT will occur. IT budgets will have more focus now and weaknesses in infrastructure will have to be prioritised. Get the basics in place and the rest will follow.
We can help you find solutions to that will identify your vulnerabilities and protect you against future outbreaks. If you’re simply wanting advice or looking to discuss your options further please contact your Account Manager directly or email email@example.com.