From the very late 1990’s up until the time I retired, I worked in an office. I chose a different career path that involved sitting in front of a computer doing things with other computers and servers for the British Healthcare system: the NHS.
Post 5 covered mandatory training, user education and the outbreak of Covid-19.
Now we come to post 6: the final post. It’s taken a number of long posts to get to the actual point of the whole series: IT breaches in Hospitals. But I wrote those posts for a reason. Invariably, large networks and computers systems are complex. They’re complex to manage and they can be complex to use. What I’ve written in the previous posts is only a scratch on the surface of what we had to do and how we did it. It’s meant to relate the huge tasks that IT departments had – and still have – to face on a daily basis. Dealing with users, large amounts of equipment, lack of investment and complacent management.
It by no means clarifies the lack of IT or security understanding by the management of IT, or the Trusts themselves. I’ve mentioned it a couple of times, but the posts do no justice in driving home the lack of investment in those areas, that there was at the time.
Are we getting to the point yet?
Yes we are. We’re here right now, in fact.
In order to breach a Hospital system you might have to do several things:
- You’ll have to access the network somehow, to make a connection to the Hospital system. Usually this will be performed through malicious code, either injected into a system through an unsuspecting user, or injected through an unprotected device.
- You’ll have to have some credentials. Stolen, or sniffed, to access the system.
- You’ll have to know where in the system the data is kept. Is it in a database, for example.
All of which you could probably do, if you visited a hospital, stole a laptop and someone’s credentials to gain access to the system, in order to hack it and download the data. I imagine in most hospital systems nowadays, that data’s going to be quite sizeable, so may take a moment or two to download it.
How would you go about doing that? I imagine the easiest way would be to send someone an email with some malicious code in it, that would steal their credentials and allow you access to the hospital system remotely.
Let’s just talk about another breach for a moment:
WannaCry
In 2017, just a few months after I’d moved Trusts, the NHS in England was hit by the WannaCry ransomware trojan. As you can read in the Wikipedia page for it, it was a trojan virus that exploited a vulnerability in Windows. The trojan encrypted the PC and displayed a splash screen that wouldn’t go away. The splash screen explained that unless the victim paid in bitcoin, the files would be lost.
I mentioned way back in Post 2 that as I’d been bitten quite hard by an email virus, I’d been quite keen to make sure Windows Updates were applied as soon as they were released and tested. The WannaCry attack actually started on Friday 12th May 2017, which would be three days previous. By that time, I had downloaded patches (including the ones for WannaCry – but didn’t know it yet!), tested and deployed to users.
On that Friday, NHS England alerted Trusts around the country of the WannaCry virus and provided us with some recommendations. We worked for quite a long time that night and over the following weekend to get additional patches out, communications to users and making sure our servers had good backups and were safe.
On the 14th and 15th May 2017, the killswitches were discovered and we were safe. We didn’t get hit by the virus, nor did our colleagues over in the Hospitals Trust.
I’d like to think that we escaped infection due to vigilance, patching and the general robustness of the network. Although patching and vigilance probably did play a big part in preventing any wrongdoings, I suspect luck had a part to play in it as well.
Luck that a few other NHS Trusts up and down the country did not have. Plenty of NHS Trusts and GP Surgeries were affected by it and it hit them badly.
The WannaCry fallout
Once the dust had settled from WannaCry, NHS England and the Government started implementing policies to both audit and provide recommendations to NHS Trusts. We had to report back numbers of equipment we had on site, what their patch state was and any firmware versions. We had to report the state of our anti-virus software and we were encouraged to use a specially crafted NHS version of Windows Defender, that was centrally managed and monitored by NHS England.
The Government decreed that every Trust had to undergo a yearly examination of their cyber-security status. Called Cyber-Essentials, this came in two flavours, the standard cyber-essentials and the cyber-essentials plus. We opted for the standard first, but quickly worked up to the plus version. Part of the cyber-essentials qualification was that we had to host some external engineers for a few days. They would probe the network and equipment estate with benign cyber tools, the point of which was to discover vulnerabilities in the network and equipment estate.
The report would return a few days after the engineer visit and we would work on the shortcomings. They were never serious shortcomings, I’m pleased to say.
As a result of the WannaCry outbreak however, a number of staff decided to apply for training in cyber-security.
A blessing in disguise?
In one respect, WannaCry was devastating. The amount of data that must have been lost, the amount of work required to get systems back up and running, the amount of hours worked by the IT department teams, let alone the clinical staff. It must have been a mighty task to get hospitals back up and providing healthcare to patients.
On the other hand, WannaCry could be seen as a blessing in disguise. If it hadn’t had such a big impact on so many NHS services, then perhaps the counter measures, the new policies, the resultant funding that was made available to be able to put in place cyber-security measures to prevents against further cyber-attacks wouldn’t have happened when it did. If it hadn’t happened, maybe things could have been a lot, lot worse.
Now that we’re further down the line from WannaCry, Trusts are now much more aware of cyber-security. They have to be, as the Government has directed them to be. The cyber audits, internal vulnerability testing, patch and firmware reporting, integrated defender tools that are overseen by NHS England. Some Trusts now have dedicated cyber-security teams, overseeing Trust security as a whole. These are all things that didn’t exist in 2017, but they do now.
There are Government departments whose sole responsibility is to monitor cyber security, there are Government directives that were put in place (under the Conservative Government of 2023) that outlines plans to build cyber resilience by 2030. That’s in six years time as I write this post and we’ve just changed Governments.
The recent breaches
Which leads me to this: after WannaCry, every single Trust in the country – including GP Practises – were obliged to go through what we did. Every Trust would have to report back the status of their user and server equipment. Every Trust would have to complete the cyber-essentials audit. And every Trust would have had to report that back to NHS England.
I know that this would be true for NHS Trusts, but I’m not so sure that third party companies that supply services to the NHS have the same requirements.
The latest NHS breach isn’t an NHS breach at all. Yes, it’s NHS patient data, but it’s held by a third party company called Synnovis. Synnovis perform blood tests and pathology services for some NHS Trusts and it is they who have been breached. The NHS Trusts that use the service seem to be unaffected by any virus or trojan. Certainly there has been a massive disruption of the provision of treatment to patients because of the Synnovis breach, but the breach itself was not at the NHS Trusts themselves.
The NHS in general has used third party companies for various services for years. My experience of them and working with them (mentioned in post 2) hasn’t been the greatest over the last 23 years, so it wasn’t a big shocker to ready the news of the breach.
A lot of the third party companies that I worked with – especially from a cyber point of view – weren’t regulated by anyone but themselves. I wouldn’t be at all surprised if that wasn’t still the case. Sadly.
Since WannaCry in 2017, the awareness of cyber-security in the NHS has increased many-fold; and Trusts’ resilience to attacks along with it. There are many more resources available now that there has ever been relating to the prevention of cyber attacks and data breaches.
I wouldn’t be at all surprised if there aren’t more data breaches to come. It won’t be from an NHS Trust though, it’ll be from the third party company that the Trust pays (a lot of money), to host their hospital systems.
Summary
- WannaCry. Was it a blessing in disguise?
- The fallout from WannaCry raised awareness of cyber-security manyfold and gave us (the IT department) leverage.
- The recent breaches. We’re back to those pesky third parties again.
What we’ve covered
(Post 1) How an IT Department is Financed in the NHS
(Post 2) Windows Updates
(Post 2) Network security
(Post 2) User device security
(Post 3) Account security
(Post 3) The administrators
(Post 3) User account management
(Post 3) The auditors
(Post 3) Sysadmins
(Post 4) Backups
(Post 4) Virtual vs physical
(Post 5) Security? What’s that?
(Post 5) Education, education, education.
(Post 5) I’ve been scammed!
(Post 5) Covid-19
(Post 6) Are we getting to the point yet?
(Post 6) WannaCry
(Post 6) The WannaCry fallout
(Post 6) A blessing in disguise?
(Post 6) The recent breaches