We all know what happened on 12 May 2017. That’s the day when an updated version of WannaCry ransomware announced itself to the world. In a matter of days, the malware encrypted data stored on 200,000 computers across 150 countries.
One of the victims affected by WannaCry was the United Kingdom’s National Health Service (NHS). According to a report released by the National Audit Office (NAO), the attack caused disruption at 34 percent of NHS trusts. An additional 603 primary care and other NHS-related organizations also reported infections.
Amyas Morse, head of the NAO, said the attack didn’t have to go that way. As quoted in an October 2017 press release:
The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.
May 2017 wasn’t the only time that NHS trusts suffered disruptions at the hands of computer criminals. According to Freedom of Information (FOI) requests sent to 80 NHS trusts by Intercity Technology, approximately a third of organizations suffered an outage across their IT systems between January 2015 and February 2018. A security breach was behind the blackouts for 14 of those entities, with NHS organizations suffering 18 security breaches over the last three years. Those events collectively caused 18 days’ worth of outages, The Register reported.
These findings beg the question: why are computer criminals so intent on targeting the NHS?
Part of the answer has to do with the NHS specifically. In its report, the NAO found that the National Health Service had not conducted simulations for a significant digital attack at a local level leading up to WannaCry. This lack of familiarity led to communication problems when the ransomware attack hit, thereby degrading recovery efforts. The NAO also learned that all NHS organizations affected by WannaCry could have protected themselves by updating their Windows operating systems or by properly configuring their firewalls.
The other part of the answer ties into greater problems affecting healthcare overall. In general, healthcare organizations aren’t the most effective when it comes to patching known security vulnerabilities. According to the “SecurityScorecard 2018 Healthcare Report: A Pulse on The Healthcare Industry’s Cybersecurity Risks,” 60 percent of the most common security issues in the healthcare industry relate back to poor patching practices. This industry-wide shortcoming gives attackers a means of preying on healthcare organizations. They don’t need any more motivate; they already have the value of healthcare data to spur them forward. As noted by IFSEC Global, attackers can leverage stolen healthcare data to either sell it on the dark web or to build victim profiles for follow up attacks.
Acknowledging the persistence of these types of threats along with the limitations highlighted by WannaCry, the UK Government announced new measures to boost the digital security of the National Health Service. These efforts will include £21 million on upgrading firewalls and network infrastructure at certain sites, funding that empowers the Care Quality Commission to evaluate the digital security preparedness of NHS trusts and the implementation of a new text messaging alert system to help facilitate better communication between trusts.
Still, there’s work to be done. The Internet of Things increasingly threatens the NHS with data breaches unrelated to WannaCry. So too do non-WannaCry ransomware attacks, as at least four separate incidents have shown since May 2017.
How Tripwire Can Help
The NHS, not to mention all healthcare organizations, need to take steps to bolster the digital security of their systems so that they can ensure the availability of critical medical services and protect their patients’ data. Such measures are especially important in the case of defending against vulnerabilities like EternalBlue, the Microsoft SMB flaw which WannaCry exploited in May 2017. CVSS risk scoring is good. But in these types of instances, such low-medium-high scoring is not of any use because the vulnerability will show up as “high” in every part of the business where critical systems/assets that provide the “business as usual” state are in the same category as non-critical systems.
This is where Tripwire IP360 can assist. Tripwire not only provides the CVSS risk scoring but also adds a unique way the assets are weighted depending on criticality to the business, amongst other criteria. This provides a way for the limited resources available to apply patches quickly to the critical systems in order to provide the secure “business as usual” state for the business.
In the meantime, Tripwire Enterprise can be utilised to monitor the network for any changes or drifts of compliance and policies, providing real time notification to the resources on anything that is detrimental to the estate so they can address them immediately.