Analysis: Patching the NHS's IT holes after ransomware attack

In March, and again in late April, IT departments across the NHS were alerted to a critical security update, or patch, and urged to apply it to most of their Windows computers and servers. Quickly.

Applying these patches isn’t as simple as pressing a button, though there are programmes that make it far easier.

WannaCry was not particularly sophisticated and not targeted specifically at the NHS

An acute trust will typically run as many as 60 IT systems – some of them older than the trust’s employees. Some software will only run old versions of Windows, or Internet Explorer, or a complicated combination of both.

Some systems are fragile and prone to break in response to changes in their operating environment – like a new security patch. Many are critical to supporting patient care.

So many trusts would have applied this latest security patch slowly, carefully, testing as they go, once various departments agreed to the change. They would have balanced the theoretical threat of a cyberattack against the more tangible risk of losing access to a critical clinical system.

Unprecedented disruption

Our analysis, published today, shows at least a fifth of all trusts and likely far more had not moved fast enough when the WannaCry ransomware virus struck on 12 May.

NHS leaders played down the impact of the attack, and played up the effectiveness of the response, but our research makes it clear that the disruption was unprecedented.

More than 15,000 appointments and operations were cancelled. The cost in lost clinical time, downstream rescheduling and incomplete data will probably never be quantified.

All NHS leaders should now be deeply cognisant of their reliance on IT systems

However, if the IT back door remains open, future attacks could do even more damage. WannaCry was not particularly sophisticated and was not targeted specifically at the NHS.

That will not always be the case.

NHS leaders are treating the WannaCry attack as “wake up” call, albeit a severe one, and avoided pointing the finger at any organisations.

This is partly because while trusts that were infected with the virus should have been better protected, plenty that were equally as unprepared escaped unscathed.

The hope is that WannaCry will finally shift the balance of prioritising risk, between a theoretical cyberattack and day to day pressures.

If they weren’t already, all NHS leaders should now be deeply cognisant of their organisation’s reliance on IT systems to function effectively both clinically and financially.

Accountability for chief executives

The government’s response to the third Caldicott review last week has now created some welcome support and obligations around increasing the priority given to cybersecurity.

New guidance and standards are being developed for data security and chief executives and boards will – in theory – need to demonstrate their organisations are meeting the new requirements.

While there has been a lot of talk about supporting the system, the response makes it clear that trusts that do not meet these new standards could face regulatory intervention and financial penalties.

The effectiveness of this approach will rest on clearly communicating – and enforcing – expectations around cybersecurity.

But these fixes, even if effective, only solve part of the problem.

There is extra pressure on NHS organisations to move off unsecured IT systems

Even with the renewed focus and requirement around cybersecurity, the NHS’s IT estate remains a tangle of systems, many retained beyond their natural life in the face of years of underinvestment.

Securing the edges of such a mess against cyber encroachments is challenging. Think about that one trust with 60 different IT systems, multiplied across the health system.

While the much maligned Windows XP system, for which a patch wasn’t released by Microsoft until after the WannaCry attack, was not virus’ primary gateway into the NHS, it does appear to have played a part.

Barts Heath Trust, which alone accounted for about a third of reported cancelled appointments and half of reported cancelled operations, blamed XP for its cyber troubles. The reliance of the system was a product of a “very long term underinvestment in IT infrastructure across an IT estate of unusual scale and complexity”, the trust said.

Considerable nervousness

On the technology front, the Caldicott response frees up an extra £21m for trauma centres to improve cyber resilience in the short term. It also places extra pressure on NHS organisations to move off unsecured IT systems, such as XP, or at least isolate them from the rest of their IT infrastructure.

There is also the suggestions that the Department of Health will run a “centrally managed agreement” to supply health and care organisations with “a common core build of an up to date operating system”.

The price of complacency has never been higher

In the wake of the National Programme of IT, HSJ understands there is considerable nervousness about any new national IT contract dictated from centre. But some tightening of control around core IT infrastructure, whatever shape it eventually takes, appears likely.

In the longer term, the centre will hoping the Paperless 2020 programme, more specifically the digital exemplar programme, will help raise the digital floor across the NHS, including simplifying the IT estate and cybersecurity.

However, with the exemplar programme initially more focused on the raising the ceiling than the floor, NHS-wide digital transformation is years away and will likely require funding beyond what is currently committed.

In the meantime, the risk is that memories of WannaCry will fade and cybersecurity will again be relegated by more immediate clinical and financial risks.

The price of such complacency has never been higher for NHS leaders and patients.