Last month’s high-profile cyber attack caused chaos across much of the NHS, but some parts were unscathed. SA Mathieson explores why

On Friday 12 May, staff in many NHS organisations saw their computers taken over by WannaCry, “ransomware” software that scrambles the data on a computer and demands a payment to decode it. The software, thought to be based on leaked cyber-weapons designed by the US National Security Agency, affected hundreds of thousands of machines around the world.

WannaCry was unusual in exploiting weaknesses within parts of Microsoft’s Windows operating system used to share files within organisations. This allowed it to spread automatically in some cases, whereas most ransomware relies on individual users clicking on a link or attachment in an email to get going. As a result organisations with large Windows networks were among the worst affected, including at least 48 NHS bodies in England.

Barts Health NHS Trust, the English NHS’s third-largest employer, activated its major incident plan, diverting ambulances to other hospitals and cancelling all outpatient appointments on 13 May. The trust was still bringing clinical systems back online on 25 May, nearly two weeks afterwards.

Related content​

• GDPR deadline: One third of public sector decision makers not confident they’ll be ready
• Turning the tide: how the public sector can win the battle against shadow IT
• Health care ‘disproportionately affected’ by data security incidents

But NHS Wales was relatively unaffected, with patient disruption nationwide limited to a one-day postponement of scans for 40 cancer patients. Just seven computers out of 55,000 in use across the Welsh NHS were infected. Why was this?

“Organisations with large Windows networks were among the worst affected, including at least 48 NHS bodies”

“Consistent service”

Wales has centralised its health IT in the NHS Wales Informatics Service (NWIS), which supplies more than 70 software services to health boards, trusts and GP surgeries. On the afternoon of the attack NWIS set up a major incident room at its Cardiff office, where it implemented additional monitoring and increased staffing.

NWIS then updated antivirus software and security patches to deal with WannaCry; restricted staff access to external webmail services; and blocked and deleted all emails from external senders, a decision made collectively with the boards and trusts. These measures also affected non-NHS organisations including Powys County Council, which uses NWIS’s central infrastructure. NWIS said the council was fully involved in all discussions, including the decision to restrict inbound email.

On 14 May, a spokesperson said, NWIS introduced exceptions to the email ban, allowing messages from the Welsh Government, police and suppliers of GP computer systems. It finally lifted the measure on 19 May, having already done this for Powys.

NWIS says that it benefitted from the fact it runs all GP computing, as well as hospitals and other NHS services. “This allows a consistent service to be provided and allows us to respond quickly and efficiently when needed. In addition, all NHS Wales’ organisations meet regularly, at all levels, to collaborate on cyber security issues.”

By contrast, NHS organisations in England had to overcome several disadvantages. England’s NHS is much larger, which makes centralised systems more unwieldy. But a bewildering structure and a recent history of centralising, then decentralising, IT services present bigger problems.

Scotland, Wales and Northern Ireland offer most healthcare through a small number of boards and trusts that provide integrated services in geographic areas. Scotland has just 14 geographic health boards, along with a small number of national bodies. Although NHS Lanarkshire was affected by WannaCry, Scotland as a whole appears to have been less affected than England.

Workforce data for England currently lists 433 employers across the NHS, broadly divided between clinical commissioning groups, which run primary care and commission secondary services such as hospital care and mental health, and trusts that provide these services. The trusts vary greatly in size and scope, with for-profit and community interest companies also providing some services.

“The expiry of the Microsoft Enterprise agreement in 2010 provides a specific clue as to why England’s NHS was so badly hit by WannaCry”

For the last few years these organisations have been responsible for their own IT, although many use regional hubs known as commissioning support units. This follows a period of centralisation under the Labour government’s National Programme for IT, which attempted to buy IT centrally for the English NHS.

The national programme failed to get its flagship patient record systems into use in most hospitals. But it was successful in setting up national systems including a common email system and NHS-wide deals with major suppliers including Microsoft.

“Negligent”

The expiry of the Microsoft Enterprise agreement in 2010 provides a specific clue as to why England’s NHS was so badly hit by WannaCry. The agreement allowed organisations to use Windows and other Microsoft software at no cost to them; when government let it expire the organisations could continue using Microsoft’s software on existing computer hardware but would not upgrade to new versions. Microsoft launched Windows 7 shortly before the deal’s end, but the vast majority of NHS trusts were still using Windows XP, launched in 2001.

Initial reports suggested that WannaCry was most successful in attacking computers running Windows XP, for which Microsoft ended security support in April 2014. Despite this, since the attack Microsoft has freely released a patch – a piece of software to repair security holes – for XP.

However, it has become apparent that many English NHS organisations hit were using Windows 7, the oldest version of the operating system which still has security cover. And English NHS organisations could have installed a free patch Microsoft released in March for the problem exploited by WannaCry.

“The people who didn’t patch Windows 7 and as a result caused an interruption of patient care should be sacked,” says Ross Anderson, professor of security engineering at Cambridge University’s Computer Laboratory. “You wash your hands after going to the toilet. You patch your systems. If you don’t, and patients come to harm, you face litigation, being struck off, and, in extremis, jail for manslaughter by negligence.”

He points out that the majority of hospitals, along with most GP surgeries, were not affected. “The test for negligence is failing in your duty of care by the standards of the industry. Even if you judge by the standards of the NHS rather than by the standards of the IT industry, the people who failed in this case were negligent,” he says, adding: “It’s time for some P45s, and then people will take care in future.”

Some working within NHS IT are nearly as scathing. “There were two clear pockets of trusts that were affected, in the north-west, and north London and Essex,” says a senior IT manager for an NHS organisation in an unaffected area of England. “I believe that any trust that was hit by ransomware for a second time should be accountable as they have obviously learnt nothing. There is a cost to any cybersecurity counter measure, however patching of Windows is the cheapest and easiest solution to implement.”

“It’s time for some P45s, and then people will take care in future” – Ross Anderson, professor of security engineering at Cambridge University

But the IT manager adds that some suppliers of specialist healthcare systems also need to take some blame, when they tell users not to install a Windows patch because it would interfere with software. “NHS organisations need to seriously question suppliers about what the 15-20% maintenance costs each supplier charges for their product goes on. It appears that suppliers use this as a pot of cash to develop new products rather than support on the product that the organisation is paying for.”

Suppliers should be required to test security-critical patches such as Microsoft’s March one on their software, including on older versions that are still in use, the manager says. “Too many suppliers will say that they only test critical patches against their latest release, this is no longer acceptable. However, this can only be done NHS-wide as unilateral action by any trust on its own will be futile.”

It is highly likely the NHS will face similar threats in future, not least because WannaCry itself had weaknesses. Marcus Hutchins, an internet security researcher based in Ilfracombe, found it was trying to contact an inactive web address. He bought and activated the address in question over the weekend, and as a result stopped the ransomware spreading further.

Adrian Winckles, a senior lecturer in cybersecurity at Anglia Ruskin University, says it is likely that something like WannaCry will reappear without these weaknesses; a “kill switch” such as the one Hutchins activated is often included only in test versions. “This is probably someone experimenting to do something more severe next time,” he says. “My fear is that this was just a practice.”

He adds that this should be treated as a wake-up call: “We were lucky this time.”

Centralised solutions?

WannaCry was a financial flop by ransomware standards. Two weeks after it hit, it had only collected $125,000 globally, according to monitoring by security company Elliptic. Professor Bill Buchanan, head of the Cyber Academy at Edinburgh Napier University, says that 2015’s CryptoWall ransomware attack raised $325m.

Buchanan adds that financial services companies offer useful models of how the NHS could improve its security: for example, they generally run their IT through “cloud” systems, where data is centralised rather than held on individual machines, meaning that if the latter are compromised data is not lost. Also, “most banks run 24/7 security operation centres and any attacks are picked up quickly and dealt with,” he says. “The NHS just needs to modernise its infrastructure, because it’s more dependent on IT for patients’ safety.”

“Something like this is a clinical safety issue now” – Richard Corbridge, chief executive of eHealth Ireland

Richard Corbridge, who used to work on the English NHS’s central IT, is now chief executive of eHealth Ireland, the Irish government’s programme to improve the country’s healthcare IT. Like Wales, it treated WannaCry as a major incident, disconnecting its network from the outside world so that hospitals, GP surgeries and national systems could still communicate with each other but external internet and email access was cut.

eHealth Ireland sent the latest security patches to affected machines over the weekend of 13-14 May and after further work and checks reconnected the network on the afternoon of 16 May. “It didn’t impact on clinical business,” says Corbridge, although two weekdays without external email will have affected administration. “But what we did was make sure we were focused on clinical care.”

Corbridge sees potential for public sector organisations to co-operate in tackling future problems. Over the weekend of 13-14 May, eHealth Ireland created training material to instruct users with infected machines: “What we’d do differently is try to share [these materials] more quickly and more easily across government departments,” he says. “We feel that everyone did the same multiple times.” Such materials could be shared between Ireland, the UK and other countries, possibly co-ordinated by the World Health Organisation. “Something like this is a clinical safety issue now,” he says. It would also help if healthcare systems had a formal mechanism for warning each other of security issues, as financial providers do, he adds.

As to why Ireland was relatively lightly affected, Corbridge says that centralisation helps but is not a panacea. “Ireland is in a better place than the UK, for once, in that we have a single response unit,” he says, adding that central systems are not universally used in England, with some trusts avoiding the national NHS email system.

“I think it is centralised solutions and centralised standards that could help health combat something like WannaCry. They don’t take away the risk, and when you’ve got a central solution the risk is compounded to some degree,” says Corbridge as there is a single point of failure. But he adds: “Centralised risk takes funding concerns away from locally cash-strapped organisations. You can invest once centrally more easily than many times locally.”