State of the NHS’ security makes you WannaCry
Years of underfunding combined with a growing and longer living population have taken its toll on the NHS, and UK citizens will be well aware of the poor state it’s now in. Budget cuts have meant the NHS has been forced to reduce its spending where it can, but the ‘WannaCry’ ransomware cyber attack over the past week which plagued the service and demanded $300 to unlock each infected PC highlights that cuts in the IT department were a step too far.
Our source in the NHS confirmed what we already knew about the attack – it took advantage of an exploit in (the now unsupported) Windows XP that was hoarded and kept undisclosed by the US government’s NSA as a known backdoor for surveillance, before their tools were leaked earlier this year. The fix, for computers on Windows Vista and above, was deployed by Microsoft back in March.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” wrote Brad Smith, President and Chief Legal Officer at Microsoft, in a blog post. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Commenting further on why the NHS’ vital systems were left so unprotected, our source revealed a cautiousness in rolling out updates and patches that proved to be counterintuitive in this scenario. Part of this, he believes, is down to a lack of staffing with adequate knowledge which is a result of inadequate funding.
A sensible approach would have been a staged rollout that ensured no critical systems were affected by a troublesome patch or update. Furthermore, if the unpatched systems are infected, the patched systems at least provide a fallback. Our source claims some of the servers are old and only support Windows XP-based clients and these machines should only be able to connect to a local service and not have internet or file-sharing access because they’re not fit for purpose.
The lack of adequate security allowed the WannaCry ransomware to spread across trusts up and down the country with little resistance and took computers offline used for life-saving tasks such as medical analysis. An anonymous NHS staffer told the BBC: "Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.”
"Had a patient that needed urgent neurosurgery referred, but unable to look at scans – stroke care is absolutely dependent on IT systems and joined up systems."
Speaking on how the ransomware spread, our source believes it first came in through email which the NHS has outsourced to Accenture to provide. Viruses, he says, appear to bypass the Trend Micro antivirus software “all the time” and even blacklisted relays from known scammers are still allowed to pass through. At the end of last year, a ‘Reply All’ bug with Accenture’s system sent a blank email to 850,000 employees with NHS addresses – which prompted further irritated replies – and resulted in severe delays with some messages not beginning to be delivered until seven hours after they were originally sent.
Back in 2014, the UK government signed a £5.5 million contract with Microsoft to continue providing support for its XP systems for another year in the hope that local trusts will use this added time to upgrade systems to a newer, more secure version of the OS. GCHQ, however, warned that while the contract covered the availability of critical patches for XP, there were so many vulnerabilities in the aging software that even those critical patches would not be enough to protect users.
The current variant of the WannaCry ransomware has been slowed after a British researcher — who uses the Twitter handle @MalwareTechBlog — noticed the domain name was fake. The researcher decided to register the domain for $10.69 and it acted as a “kill switch” that shut it down, but further variants have already been spotted that likely won’t make the same mistake twice.
The NHS was far from the only victim in this global attack but the story highlights that skimping on IT security can have life or death consequences. As the IoT (Internet of Things) progresses, and more things are connected, this should be a warning that security must always come first or debts will be paid in lives, not cash.
Do you think WannaCry should have been prevented? Let us know in the comments.