Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack

The UK's National Health Service was a major victim of the WannaCry ransomware attack - but now a focus on patching and backups aims to stop hospitals being disrupted again.
Written by Danny Palmer, Senior Writer

Four years ago, the UK's National Health Service suddenly found itself one of the most high-profile victims of a global cyberattack.

On 12 May 2017, WannaCry ransomware hit organisations around the world, but hospitals and GP surgeries throughout England and Scotland were particularly badly affected. A significant number of services were disrupted as malware encrypted computers used by NHS trusts, forcing thousands of appointments to be cancelled and ambulances to be rerouted.

Wannacry was launched by North Korea, which used EternalBlue, a leaked NSA hacking tool, to spread as far and wide as possible – and it just so happened that many NHS Trusts were running Windows machines that had yet to receive the critical security patch that been released by Microsoft earlier.

SEE: Network security policy (TechRepublic Premium)

It was and still is the largest cyberattack to hit the UK and, even if the NHS wasn't actually a specific target of WannaCry, it was a wakeup call at to how ransomware and other cyber campaigns can be a risk to an organisation with 1.5 million employees, which provides healthcare services across the entire country.

WannaCry happened before ransomware rose to become the significant cybersecurity issue it is today and the NHS and National Cyber Security Centre know that if another ransomware campaign infiltrated the network, the impact could be devastating – particularly during the COVID-19 pandemic.

"For the NHS, ransomware remains one of our biggest concerns," said Ian McCormack, deputy director for government at the National Cyber Security Centre (NCSC), speaking during a panel discussion at the NCSC's CYBERUK 21 virtual conference.

"Ransomware packages have got much more sophisticated; ransomware is becoming much slicker in terms of how it's developed."

To protect networks from ransomware attacks, the NHS has learned the lessons from WannaCry and is aiming to ensure that it's harder for cyber criminals to exploit vulnerabilities in order to distribute malware.

One of those lessons is making NHS Trusts aware of newly disclosed security vulnerabilities and, if needed, providing support in order to apply the relevant patches.

The NHS trusts that had already applied the critical Microsoft update to patch EternalBlue avoided falling victim to WannaCry – so it's hoped that by providing the resources to enable patch management, networks can be protected against future attacks that attempt to exploit new vulnerabilities.

"Within NHS Digital and working closely with NHSX and NCSC, we offer a high-severity alerts process, so we will review and triage vulnerabilities," said Neil Bennett, chief information security officer (CISO) at NHS Digital, the national IT provider for the NHS.

"And where we believe vulnerabilities are particularly critical and applicable to the NHS, we'll push out alerts advising organisations to take action to remediate and put time scales around it".

Recent flaws NHS Digital has helped hospitals and GP surgeries protect their networks against include zero-day vulnerabilities in Microsoft Exchange Server, plus TCP/IP vulnerabilities discovered in millions of Internet of Things devices.

If abused, both could enable cyberattacks to take control of machines and gain wider access to networks, helping lay the groundwork for additional attacks – so NHS Digital was keen to ensure the patches were applied.

"We've encouraged organisations to move at pace and, when needed, offer support," said Bennett.

But there's more to protecting against a ransomware attack than just applying the correct security patches and a lot of effort has gone into ensuring there are backups for NHS systems across the country.

SEE: Ransomware just got very real. And it's likely to get worse

That means if the worst happens and somehow a network did fall victim to a ransomware attack, it's possible to restore the network from a recent point, without having to consider paying a ransom to cyber criminals.

"Backups was a very key area of focus for us," said Bennett, who described how in some cases that has meant entirely new backup systems.

"We provided support to individual trusts on reviewing their backups, very much aligned with the NCSC's backup guidance. Then with the findings we'd support the organisations remediating against recommendations and in some cases NHSX actually funded new backup solutions, ideally cloud-based backup solutions," he explained.

It's evident that cyber criminals will attempt to exploit any vulnerability they can in order to infect a network with ransomware or any other form of malware – and it's hoped by regularly providing assistance with security patching, and providing advice on backups, another WannaCry can be avoided, especially as cyberattacks against healthcare providers elsewhere have demonstrated how dangerous they can be.

"There's been numerous ransomware incidents around the world that have affected healthcare organisations in the US and France, for example, and that shows that the health sector is certainly not immune to that threat," said McCormack.


Editorial standards