Saturday 12th May will mark one year since the WannaCry attack on the NHS. There’s been plenty of critical assessment about how the health service could avoid another WannaCry attack. But, as the anniversary of the attack looms, we need to understand that improving cybersecurity for the NHS cannot be done instantly. Last year, the government pledged to boost investment in data and cyber security for the NHS by over £50m. However, the size and complexity of the organisation’s IT estate means this investment is not going to deliver positive outcomes for several years.
During WannaCry many NHS Trusts had to shut down all systems to contain the threat because there wasn’t enough visibility of what parts of their network and services were affected. So, how can the NHS safeguard against a repeat occurrence?
IT security experts commented below.
Peter Batchelor, Director at Skybox Security:
“Cybersecurity for cybersecurity’s sake, including an obsession with metrics of malware blocked, isn’t appropriate when what’s of prime importance to the NHS is that patient services will not be interrupted by another cyberattack. Visibility of threats and vulnerabilities is key but not if it simply hands a small and overstretched team of NHS IT specialists an even longer to do list. They are desperate for practical support that tells them what the priorities are to work on immediately and automates much of the workload of closing down vulnerabilities effectively.”
Peter continues, “Despite criticism, NHS Digital and other stakeholders are working incredibly hard to make our NHS more secure for all of us. Their prime concern is delivering excellent medical services and outcomes for patients. Cybersecurity must serve this end but must not get in the way. Letting teams see and assess the risks and security priorities clearly, being able to run attack simulation on a daily/weekly basis and at the touch of a button without interrupting medical care or placing additional burden on the limited NHS IT resources, is what the NHS requires and, in our experience, is already working towards.”
Ken Spinner, VP of Field Engineering at Varonis:
“WannaCry served as a cybersecurity wake-up call for many organisations that were falling behind in their routine IT responsibilities. While WannaCry tore through organisations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed.
Companies should be making it as difficult as possible for attackers to be successful at their job. It takes time, talent and resources to keep attackers at bay. The NSA exploits have been in the wild for some time now and attackers are hard at work on new variants.
Security is a C-level issue and a boardroom issue, and IT and CISOs should be at the table. Companies need to heed the call, understand their risk and place security at the top of the agenda – the alternative could be lost productively and costs as companies scramble to return to business as usual after an attack.
It’s human nature to address immediate concerns and fall back into old patterns. But companies can’t let their guard down. You’ve got to avoid a sense of complacency and plan ahead to tackle the newest threats. Attackers will think of something new that renders some preventative IT measures obsolete.”