What strategic cybersecurity steps are being taken by NHS organisations right now, and are they enough to prevent future attacks?
According to the newly published review authored by Will Smart, chief information officer of NHS England, only 1 percent of NHS activity was directly impacted by WannaCry with 80 of the 236 hospital trusts affected, plus 595 of the 7,545 GP practices. However, the vulnerability of NHS infrastructure was laid bare for all to see. An historic underinvestment in network security, unpatched legacy software and unpatchable hardware devices, were exposed; along with poor discipline and accountability at the highest levels within individual trusts. Although the number of devices in the NHS running on unsupported Windows XP software has dropped to just 1.8 percent at the end of January, NHS England admits that most devices infected by WannaCry were running on the supported, but unpatched, Windows 7 OS. Indeed, none of those 80 trusts that were affected by WannaCry had applied the Microsoft patch that would have prevented it, despite a CareCERT advisory more than two weeks prior to the attack itself.
Talk, or in this case strategic thinking, is cheap. I work within the NHS, and know that action is more expensive and a lot rarer. Do I think that wannacry has changed how security will be enforced across trusts? No more than I think that government proclamations over how well the NHS is doing are actually a reflection of the truth.
I can understand the sentiment, but I am hopeful that WannaCry was a turning point of sorts. In as far as pushing cybersecurity further up the agenda, and at a higher level in the C-suite. Whether that translates into affirmative, effective, action remains to be seen of course.