As sunshine illuminated Friday lunchtime on 12 May 2017, reports started to pop up on local news-sites and social media that the NHS was experiencing a cyber-attack. By tea-time, it was clear that it was caught up in the world-wide WannaCry event.
The ransomware attack affected 150,000 computers in 150 countries, but in the UK it had a very visible impact on the health service. Some trusts closed their A&Es as IT teams worked across the weekend to get systems up and running again.
Dr Saif Abed, a founding partner of the Abed Graham consultancy, a partner of Highland Marketing, has spoken extensively about WannaCry, the various reports that have been written on its impact, and on what needs to happen next. He talks to Lyn Whitfield.
- What is your memory of 12 May? Were you surprised, at the time, that the NHS was affected by this kind of attack? Do you agree with a recent Public Accounts Committee report that the NHS was, in fact, “lucky” (the attack hit on a Friday afternoon and the kill switch was found quickly, which minimised disruption)? How easily could the impact have been worse?
- My memory of the time is still remarkably vivid, if only because I heard about what was happening from personal contacts and not just the news. Was I surprised? I have to say: ‘No’ because I had been commenting on the risks that healthcare organisations were facing for some time.
But, of course, there was no way I could have predicted how a national attack would play out. As far as the level of disruption goes, it could definitely have been a lot worse. A more targeted attack could have been much more devastating.
I’m of the mindset that health IT is the new frontier of cyberwarfare. Future attackers will look to target the integrity of health IT systems; not just whether they are available or not. Imagine what would happen the day drugs are administered from an e-prescribing system and patient medications are mixed up because of a cyber-attack? That gives you a flavour of how bad things could get.
- When we spoke a few days after the attack, you said there should be a “forensic” inquiry into what happened. Do you think the inquiries that have been held have done that job? At EHI Live last October, you also warned that there was a “blame” culture around WannaCry. Have the inquiries encouraged or stopped that?
- There have been a number of inquiries from different government agencies that have shed light on the state of cyber security in the NHS; and that’s been positive. What is important is to build on the conclusions and recommendations of these reviews, by actioning them in practice.
I think that is starting to happen. We all know that public sector organisations are cash strapped, so we can only move at a certain pace but I think, overall, there’s been positive progress. I would like to see a greater focus on clinical leadership and contingency planning for clinical services, but I think that will develop sooner rather than later because the stakes are so high.
I would also re-emphasise that a blame culture has to be avoided. We have to stay focused on the task at hand rather than point fingers. There have been some reports that have perhaps strayed into this territory, but not enough to hamper progress, I would suggest.
- If you were asked to pick out just one legacy of the attack, what would it be?
- Cyber security is a patient safety issue and we are all accountable. That has to be the headline statement. If we only focus on buying more technology – and ignore human and process factors – then truly devastating attacks will be inevitable.
- Do you think the NHS is in a better position on cyber security than it was a year ago? NHS Digital has put out a big ‘lessons learned’ report, but the Public Accounts Committee is worried that there is no detailed, costed plan to implement it. Do you think it’s right? And if so, where do you think national and local organisations need to focus their efforts?
- The NHS is in a better position because there’s greater awareness and cyber security is becoming, gradually, a board level agenda item. Also, the government has been allocating more funding while government agencies have been liaising with industry to bolster cyber defence capabilities.
These centrally driven moves are critical. At a local level, it’s a more mixed picture; as you would expect given variations in digital maturity. We are still a way away from having Cyber Essentials adopted uniformly across the NHS; let alone having compliance with the major regulatory requirements outlined in the EU’s NIS Directive – which is under the ownership of the Department of Culture, Media and Sport for the NHS.
My primary guidance would be not to rely on buying more technology. If you are following the National Cyber Security Centre’s guidance, you will see that there is much more talk of humans being the strongest link in security. And I think that’s where attention needs to be.
NHS organisations need to ask themselves: ‘When technology fails, as eventually all systems do, can you maintain clinical services as usual, with minimal disruption?’
- Most security experts seem to think that another cyber-security incident is inevitable. As and when one hits, do you think the NHS will be in a better position to respond?
- Depends on the nature of the attack I’m afraid! A little bit of ransomware: sure. But a co-ordinated nation-state attack targeting the integrity of clinical information systems: I think we have more work to do. The good news is we can get there through collaboration and resolute co-ordination.