[BreachExchange] Here's how the NHS can prevent another WannaCry crisis

[Audrey McNeil]

http://www.wired.co.uk/article/nhs-wannacry-nca-ncsc-response

To explain what went wrong with NHS networks the day the WannaCry
ransomware struck in May, GP Chris Mimnagh offers a medical term:
iatrogenic.

That, he explains, is the Latin for "I have caused it" — a way for
clinicians to describe when they've caused disease in a patient through
their own actions. "We had an iatrogenic cyber attack," he says.

There's no question WannaCry was a serious piece of ransomware, disrupting
corporations including Telefonica and and Merck across the world, alongside
dozens of NHS trusts in the UK. But while Mimnagh's practice wasn't
infected by the ransomware, it was still forced to cancel non-emergent
treatments after networks were taken down, in a bid to halt the spread of
the infection.

"When things went wrong on that particular Friday, we knew pretty quickly
it was bigger than just us," he explains.

It started with an email from the local health informatics service at 1pm
one afternoon, warning against opening spam email or clicking on links in
messages. Just after 2pm, his clinic lost its connection to the outside
world. With a background in health IT and knowledge of how the dual ISDN
connection was structured, Mimnagh knew this wasn't a mere fault.

Mimnagh started texting and calling around, first to his local clinical
commissioning group, which was unaware of the loss of service, and then
colleagues at other trusts. A friend at an informatics health group
elsewhere in the country revealed its own network had been shut down in
response to the ransomware.

"We had no advance warning, no notification, that connectivity was going to
be severed," Mimnagh says. Like any other business, his practice depends on
data held offsite in the cloud, so the abrupt cut off was hugely
problematic. There is a local backup, but to make matters worse, it failed.

Mimnagh turned to Twitter for more details about what was going down. Asked
if at that point he'd heard from a central authority directly, he laughs.
"We did eventually get an email from the clinical commissioning group,
telling us to turn off our machines," he says. "Then we got another email —
how were we supposed to have gotten the second email if we'd shut down our
machines? — saying don't shut down your machines because it could activate
the virus."

While Mimnagh has genuine sympathy for those making quick decisions without
knowing how the ransomware worked or spread, he notes with admitted
hindsight that giving practices and trusts a few minutes' notice would have
avoided most of the disruption to patients. His own local area was
unaffected by WannaCry, yet he still couldn't treat patients — hence the
iatrogenic diagnosis.

Unified response

Who could have handled it better? NHS England, NHS Digital, the National
Crime Agency and the National Cyber Security Center were all involved in
the incident response, but none were able to comment since the
investigation into WannaCry is ongoing.

Steve Hill, a former deputy director at the UK government National Security
Secretariat dealing with cyber security, and now a senior fellow at King’s
College London, says the NCSC was in part created to give a unified
response to large-scale attacks just like WannaCry.

"The government is trying to set itself up so that we can respond
systemically in the longer term and, at the same time, give authoritative
advice through the NSCS on specific attacks at a larger scale," Hill
explains. The NCSC wouldn't intervene with smaller attacks, which are still
dealt with by police, but anything that affects infrastructure and could
become a national security threat.

In the case of WannaCry, the response went straight to the top, with PM
Theresa May summoning an emergency Cobra committee of relevant ministers,
civil servants, police and other experts, including those from security
agencies. "It sends a real signal of seriousness," Hill said. "The public
wants to be reassured that the government is looking at it... that
government is being seen as doing all it can."

Front-line resources

While WannaCry merited a top-level response, University of Surrey's
professor Alan Woodward says any problems with the response weren't
actually at the central authority level. "As ever, it's down at the coal
face that matters. There's no way, especially with a distributed
organisation the size of the NHS, that you can expect a central government
body to deal with it."

Any response plan needs to take account of local conditions – and that's
not easy with a behemoth like the NHS, scattered throughout the country,
with each trust able to buy in whatever software and hardware it chooses.
"Even central NHS IT doesn't know the ins and outs or configurations of
every individual trust," Woodward says.

That means that during attacks against the NHS — targeted or not, as was
the case with WannaCry — central authorities may technically lead the
response, but the real work will largely be done by front-line IT staff in
each and every trust. Woodward says the chaos in May suggested a lack of
resources in terms of people and skills, as well as incomplete or untested
incident response plans.

And that means the measures rolled out to prevent NHS networks from being
knocked offline by another WannaCry-style attack likely won't work. First,
the government chucked £50 million at the NHS to boost security. "That
might sound fine, if you were spending it centrally, but that's not where
you need it, in my opinion," Woodward says. "I'm not sure £50 million is
going to go a long way." There are about 240 trusts in the NHS, meaning
each would get around £200,000 — enough for a few years' of salary for a
security specialist apiece or enough for some updated systems.

The other measure to avoid a repeat of the ransomware debacle is setting a
target of 48 hours for all trusts to roll out security patches once they're
made available by company developers. But Woodward notes patches should be
tested before being run in critical settings — and a hospital is surely
that. "I don't think this is a technological thing, it's a people thing,"
he adds. "If you think of security as being people, process and systems, I
don't think the problem here was systems. It was people and process."

Overcoming that in a distributed, sensitive organisation like the NHS is
difficult, but throw in the budgetary woes and the only surprise with the
WannaCry incident is that it didn't happen sooner, or cause worse
disruption. While the NHS desperately lacks resources, improving IT is
"money you can't afford not to spend". Woodward adds: "As WannaCry shows,
if you take away the IT, these trusts stop."

Not being willing to fund the cure isn't quite the definition of
iatrogenic, but it's clear we're not making it easier for the NHS to halt
the spread of infections like WannaCry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170911/79438c0c/attachment.html>