Search Our Site

We have 2,946,482 registered online learners.
775 new learners so far today.

Security and auditing lessons to learn from the NHS cyber attack

schedule 3 weeks, 2 days ago by Ben Piper in Healthcare

Nurse working at desk

On May 12th 2017, the NHS was hit by the most serious cyber attack to ever affect the health service in England, with systems up and down the country taken out of commission by the so-called "WannaCry" virus.

Although the impact of the ransomware attack was global, with organisations in more than 150 nations affected, it was the impact on the NHS that generated the most coverage in the UK - not only because of the disruptions it caused to patient care, but also because of the subsequent discovery that the damage to this vital public service was largely avoidable.

The NHS is still working to learn and implement the lessons from this incident, but organisations from every sector should also be looking at the attack as a cautionary tale of the importance of proper security and auditing procedures, and investing in compliance training to ensure that they do not make the same mistakes.

How did security failings contribute to the WannaCry attack?

The impact of the WannaCry incident was wide-ranging and highly damaging, with disruption affecting at least 34 per cent of NHS trusts in England. A report from the National Audit Office (NAO) examining the situation estimated that around 19,000 appointments had to be cancelled, with patients in five areas having to travel great distances for emergency care due to local services being taken out of commission.

It's still unknown exactly how much the attack cost the publicly-funded service, but the amount spent rescheduling appointments, sourcing IT support and restoring the affected data and systems is likely to have been considerable - and could have been more, had a cyber researcher not been able to activate a kill switch to shut WannaCry down.

The NAO's report was quick to point out that NHS security failings were responsible for the malware spreading as far as it did, as all of the affected trusts were running unpatched or unsupported versions of Windows that were susceptible to the ransomware, and had not set up their firewalls properly to offer the necessary protection.

This is particularly damning given that the Department of Health had been specifically warned about the risks of cyber attacks on the NHS a year before WannaCry, but had not taken any formal action to assess whether all hospitals had made the requisite security updates. Additionally, the intended action plan for responding to a national cyber attack had not been tested properly, meaning it was not immediately clear who should lead the response - resulting in significant problems with communications.

What can other organisations learn from this?

NAO head Amyas Morse said: "It was a relatively unsophisticated attack, and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

The high-profile nature of WannaCry and the damage it caused means that Mr Morse's advice should be heeded by organisations working across all industries. Continuing to run systems with dangerously outdated software can leave critical systems open to all sorts of attackers, and a lack of proper planning when it comes to responding to such an attack can result in the damage spreading at a rapid pace.

As such, it's essential for any organisation that depends on an IT system - from small businesses through to nationwide public services - to invest in a proper auditing system and compliance training for staff. This must ensure that everyone involved shares the same commitment to proper security standards, and are working towards a shared definition of how to achieve them. Failing to learn the lessons of the WannaCry attack means dooming your organisation to repeat its consequences.

Summary: A report has shown that the cyber attack on the NHS in May could have been prevented by basic security improvements and auditing tools - meaning that organisations from all sectors have something to learn from the incident.

Source
www.nao.org.uk


Related resources

Ben Piper - Virtual College

Author: Ben Piper

Ben is a member of the Virtual College marketing team. He has a degree in economics and writes about business and education issues. In his spare time he loves food, drink and films.

CPD
Investors
ISO 9001:2015
Microsoft
Crown Commercial Service Supplier

Contact

+44 (0)1943 605 976

info@virtual-college.co.uk

Marsel House

Ilkley, West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.
Live Chat

Click to chat

Login

We launched a new website in February 2017. If you want to go back to a course, or start a course, bought before this date then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.

LMS

You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.