Post-WannaCry, UK Promises NHS England a Funding InjectionBut Solving Cybersecurity Problems Requires More Than Pounds and Pence
Reacting to a report that said the WannaCry outbreak could have been prevented at NHS England, the British government says it's been increasing cybersecurity funding for England's national health service.
But as the report from Parliament's independent National Audit Office found, the failure to block the WannaCry outbreak by NHS England did not just result from poor patching and other basic information security practices. The NAO also blamed poor communication and resilience planning as well as a failure to hold any NHS organization accountable for its cybersecurity practices or policies (see Postmortem Finds NHS 'Could Have Prevented' WannaCry).
"This is not a cybersecurity failure in the practicalities, but a failure of cybersecurity management at the top level," Eerke Boiten, a professor of cybersecurity at De Montfort University, and David S. Wall, a professor of criminology at the University of Leeds, say in a blog post.
Plenty of Blame
On Friday, the NAO published the results of its probe into how the WannaCry outbreak impacted NHS England and found blame with both it and the U.K. government's Department of Health, as well as lessons to be learned (see WannaCry Probe: Scotland, Wales and Northern Ireland React).
The probe had only praise for NHS Digital, England's national provider of information, data and IT systems for the NHS and affiliated organizations that disseminates emergency security alerts including patch updates. Notably, NHS Digital had advised all organizations affiliated with NHS England to install the emergency patches from Microsoft, issued in March and April, for the server messaging block protocol that WannaCry would target starting in May.
The organizations' failure to act on that advisory should not be suprising. NHS Digital regularly audits the cybersecurity practices of NHS England trusts. Recent audits, alarmingly, found that out of the 88 trusts (out of 236) audited, "none had passed," the NAO reported.
But there appeared to be no consequences as a result of these failures. "NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organization," the NAO report says.
Since the WannaCry outbreak, however, the Care Quality Commission, which inspects and regulates health and social services in England, has begun unannounced cybersecurity inspections, a Department of Health spokeswoman tells Information Security Media Group.
"The NHS has robust measures in place to protect against cyberattacks," she says. "Since May, we have taken further action to strengthen resilience and guard against future attacks, including new, unannounced cybersecurity inspections by the CQC, £21 million ($27.8 million) in funding to improve resilience in trauma centers and enhanced guidance for trusts."
More Funding Promised
The U.K. Department of Health and NHS England have agreed with the NAO's probe and promised to implement extensive changes and improvements. The probe, for example, found that while the Department of Health had developed a business continuity plan, it remained untested and wasn't communicated to NHS trusts, who were left floundering after WannaCry killed their email access.
While it's good that the U.K. Department of Health and NHS England have promised changes, it's important to note that historically, both have been slow movers.
In July 2016, for example, Fiona Caldicott, the U.K. National Data Guardian for Health and Care, issued a report highlighting a dangerous shortfall in cybersecurity funding by NHS England.
The Department of Health didn't respond to her report until 12 months later - two months after the WannaCry outbreak - when it said it would be making additional investments.
"We will boost investment in data and cybersecurity above the £50 million ($66.1 million) identified in the spending review to address key structural weaknesses, such as unsupported systems," the Department of Health said in its July response. "We will target an initial £21 million ($27.8 million) of capital funding to increase the cyber resilience of major trauma sites as an immediate priority, and improve NHS Digital's national monitoring and response capabilities."
It's not clear to which "spending review" the report is referring. The "£50 million identified" appears nowhere in Caldicott's July 2016 report. The Department of Health didn't immediately respond to a request for clarification.
Funding Only Goes So Far
Ed Tucker, CIO of data protection firm DP Governance and former head of cybersecurity for HM Revenue & Customs, tells ISMG via Twitter that the funding is "a significant amount, until you then break down the scale of the NHS. Then it becomes not very much. Not very much at all."
Tucker says that while any funding is better than no funding, improving cybersecurity in every NHS-related organization will require a "big" effort. "Fixing the basics always is," he says, "especially if you don't want to compromise operational outcomes."
But it's a big task. Retrofitting / fixing the basics always is. Especially if you don't want to compromise operational outcomes.— Ed Tucker (@Teddybreath) October 27, 2017
Luckily for NHS England and the government, the WannaCry outbreak could have been much worse, especially if security researcher Marcus Hutchins, aka MalwareTech, hadn't accidentally found a "kill switch" for the ransomware.
"Given the lessons learned discussed in the NAO report, hopefully the NHS will be better prepared next time," Boiten from De Montfort and Wall from University of Leeds say in their blog post. As both noted, however, one of those lessons is that top-level executives must do a better job of managing cybersecurity.
Without a doubt, future outbreaks will test these preparations. "As there will definitely be a next time, the NHS had better have learned its lessons, because the implications of not doing so could be much greater" than the WannaCry disruptions, Boiten and Wall say.
In recent years, NHS England appeared to be facing not just a cybersecurity crisis, but also an inability to recruit and retain experienced, senior professional managers, which could complicate any efforts to overhaul cybersecurity. From 2010 to 2014, the number of senior managers had declined by 18 percent, according to NHS workforce statistics.
But that trend appears to have been reversed, with health service figures released this week showing a 13 percent increase in the number of senior managers working in the service in less than three years.
Boiten tells ISMG that the number of senior managers isn't the problem, but rather the need to build better reporting structures and close loops. Thankfully, such efforts are now in progress. "Much of what NHS England, NHS Digital and DoH are setting in motion is the right stuff," he says.
Updates (Nov.1): Added latest NHS workforce statistics and additional comment from De Montfort University's Eerke Boiten.