How can the NHS most effectively build resilience to a major cyberattack?

It’s now five years and a pandemic since a ransomware attack caused significant disruption to NHS services, but Paul Charnley still remembers it vividly.

Back then he was director of IT at Wirral University Teaching Hospital Foundation Trust and, for a week, one of the best customers of the local pizza restaurant. He and his colleagues relied on the delivery service to keep them fed and watered as they worked long hours trying to prevent WannaCry wreaking havoc on local services.

The attack disrupted more than 80 trusts and 8 per cent of GP practices across England. The Department of Health and Social Care subsequently estimated that 19,000 appointments were cancelled in that period, with £92m in direct costs and lost output.

Investigations took place, reports were written, cybersecurity beefed up. But, as explored at a recent HSJ webinar in association with ManageEngine, the threat of attack has not gone away. In some ways, it may in fact have intensified and become more complicated.

“We’ve seen the potential for an uptick in the cyber threat targeting the UK,” explained Andy Green, senior industry liaison at the National Cyber Security Centre and chief security information officer at Gemserv.

“We’ve seen specific intelligence which called out the fact that state-sponsored actors from Russia would be targeting UK critical national infrastructure, and calling out the NHS as one of those targets.

So how might the NHS bolster its defences against attack? For Gary Colman this is one area, at least, in which there is a high degree of consistency. Mr Colman is head of West Midlands Ambulance FT’s Information Security and Assurance Service, which provides services to a number of other NHS organisations. He did say the advice he and colleagues give clients “has evolved slightly in that there’s a perceived greater level of risk and likelihood of cyberattack”.

“But the fundamentals are still exactly the same as they have always been: get a strategy in place, get an operational plan in place to make sure your cybersecurity is up to spec, make sure you know what kit you’ve got and which systems are facing the internet.”

Organisations need to take a “layered” approach towards protection against cyber threats

Romanus Raymond Prabhu, global head of technical support – endpoint management and security at ManageEngine, argued organisations need to take a “layered” approach towards protection against cyber threats.

“Patches [updates to software which help solve issues, including security flaws] are your first line of defence; keeping your patching up to date. Then there are blind spots [to be addressed] – unwanted applications like browser plug ins or extensions, and which USB devices are running and which USB ports there are – and that unknown vulnerability is the second layer of defence.”

The last layer? An ability to deal with real-time attack. He said this necessitated “a deep analysis” of all “endpoints” within an organisation. An endpoint is any device which connects to a network from outside a firewall, so things like laptops, mobiles, tablets and printers – many of which are now being used for home working, increasing the potential risk. By knowing what normal activity looks like on these devices, it’s possible to detect anything which looks abnormal and which could constitute an attack.

Board members and other senior leaders do not need to be involved in the complexity of this technical monitoring, our panellists stressed. But, Mr Green said, they should be asking about the general approach IT colleagues are taking to manage the threat of cyberattack.

“Risk is something all board members understand, whether it is from [the perspective of] operational risk or financial risk,” said Mr Green. “So I would [advise board members to] ask whether or not a cyber risk assessment has been taken. I would look to see the results of that, and I would look to see what the most critical risks that have been identified are, and then I would ask what controls are in place to address and mitigate those most critical of risks.”

Those questions could also cover the issue of continuity plans for common attacks, which Mr Colman said were a vital tool in bolstering defences – so long as they’re practised.

“Don’t just create plans and put them in a cupboard somewhere. Rehearse them every few months. Also, when you’re rehearsing them, get everybody involved – not just IT security. Get clinicians involved, get HR, get finance.”

The need to involve a wealth of professionals and organisations if an attack is to be successfully managed was, Mr Charnley said, one of the main lessons he and colleagues took from WannaCry.

“[We found] there was poor coordination between organisations, and there was a very bad mix between the digital problem and the operation problem. So while some of our hospitals were suffering with no diagnostic services and close to closing their A&E, the people on the call [to discuss the situation] were hearing about what levels of patches had been installed.”

Mr Charnley is now digital lead at Healthy Wirral Partners, an integrated care partnership, and he said that the move to deeper integration in the NHS made collaboration more important still.

“If you focus on each organisation separately, you might protect that organisation – but we’re not one isolated organisation. The risks are in the joins between us.”

Running incident rehearsals for cyberattacks had helped, he said, and not least in identifying those who need to be involved.

“We need to communicate with finance – do we pay a ransom [in the event of a ransomware attack]? What legal advice do we get in an emergency when something like that occurs? What is the relationship with the police in these things? These are things that you do not think about when you are a manager sitting in your own department, so opening up that communication has really helped make us more resilient and prepared.”

And while that week of pizza ordering may now be several years behind him, Mr Charnley says it is not time for the NHS to drop its guard.

“Because it has now been five years since WannaCry, I think the key message is about staying alert. Do not get complacent. There are always new things that represent a risk. So, stay alert, think about it, and plan.”

An on demand version of this webinar is available.

If you had previously registered as a viewer for the event, visit here or check your email for the link to the recording.

If you hadn’t previously registered, complete the form here. You will then be sent details on how to access the recording.