Home > Sample essays > Lessons Learned: 2017 NHS WannaCry Attack and Policy Options for the Future

Essay: Lessons Learned: 2017 NHS WannaCry Attack and Policy Options for the Future

by

Essay details and download:

  • Subject area(s): Sample essays
  • Reading time: 5 minutes
  • Price: Free download
  • Published: 1 April 2019*
  • Last Modified: 23 July 2024
  • File format: Text
  • Words: 1,336 (approx)
  • Number of pages: 6 (approx)

Text preview of this essay:

This page of the essay has 1,336 words.



Policy Brief: Lessons to be learned from the 2017 NHS WannaCry attack.

1 Contents

1. Abstract

2. Executive Summary 3. Problem Description 4. Analysis

5. Policy Options

6. Conclusion

7. Bibliography

2 Abstract

This policy brief provides an analysis of the 2017 WannaCry cyberattack and it’s e↵ect on the U.K.’s National Health Service. The aims of this document are to demonstrate how the NHS was unprepared for such an event due to lax network security and an over-reliance on legacy systems, and to review ex facto developments with a consideration of policy options for future prevention of such attacks.

3

1. 2.

3.

Executive Summary

A worldwide ransomware attack in 2017 severely a↵ected the U.K’s Na- tional Health Service (NHS), attacking vulnerable NHS systems in May.

80 NHS trusts and 603 primary care organisations were a↵ected, either primarily (by being infected) or secondarily (shutting down computer sys- tems as a precaution).

The lateral spread of the ransomware throughout the NHS network was a result of improper security protocols and was easily preventable.

1

4

4. The NHS requires a significant and wide-reaching upgrade in terms of cybersecurity and network hygiene.

5. There is a significant lack of data collected by the NHS that ultimately prevents the accurate analysis of service disruption and limits the value of the conclusions that may be drawn from this paper.

Problem Description

On Friday 12th May 2017 a ransomware attack known as ’WannaCry’ a↵ected more than 200,000 computers worldwide. (Strategic Comments pp.1) In the UK, the National Health Service (NHS) was particularly a↵ected despite not being a specific target. By the afternoon of the 12th, the attack had been declared a ’major incident’ and emergency measures were implemented across trusts to prevent the worm from spreading further (NAO pp.4).

According to NHS England, 80 of 238 trusts nationwide were a↵ected – par- tially due to being infected but also as a result of trusts turning o↵ systems as a precaution. A further 603 ’primary care’ organisations such as General Practicioners, Dentists and Opticians were also a↵ected (Lessons Learned pp.5, NAO pp.4).

The WannaCry ransomware is a cryptoworm, a type of malware that encrypts data and demands a ransom for its restoration. In the case of WannaCry, this was a sum of $300-600 to be paid in bitcoin to unique payment addresses. Wan- naCry is propagated by an exploit known as ’EternalBlue’, initially developed by the NSA and leaked by the hacker group ’Shadow Brokers’ in April of 2017 (Nakashima and Timberg, 2017) which works by exploiting a vulnerability in Windows OS’ implementation of the Server Message Block protocol. This vul- nerability allows hackers to execute arbitrary code without administrator access on compromised units. (ESET Customer Advisory, 2017).

5 Analysis

The NHS was in no way prepared for the WannaCry attack, having a reputation for being reliant on legacy software (Strategic Comments, viii). Trusts had been warned numerous times, including one month prior to the event, to migrate from Windows XP software. (Committee of Public Accounts, 2018) Yet at the time of the attack 18% of NHS devices were running Windows XP, a 2001 OS that has been unsupported (no longer receiving security updates) since 2016. Fur- thermore, none of the 80 NHS organisations a↵ected by the attack had applied the security patch released by Microsoft alongside bulletin MS17-010 despite being advised to by NHS digital on the 25th of April (Smart, 2018).

NHS organisations are connected by the N3 intranet – Many local authorities have access to this and it is primarily used to facilitate information sharing between primary and secondary care organisations. The lack of action taken

2

toward network facing firewalls allowed the worm to spread laterally across the network. The network is currently being replaced by the Health and Social Care Network which will facilitate connectivity between the NHS, local authorities and social care providers.

The full extent to which WannaCry disrupted services is still unknown. 80 of 236 trusts were a↵ected – 34 infected (25 of which were acute trusts) and 46 reporting disruption. 603 primary care organisations were also infected (NAO pp.6). NHS England identified 6,912 appointment cancellations but did not col- lect data on ambulance and patient diversions. A total 1% of NHS diagnostic equipment (1,220 units) were a↵ected, leading to delays in test processing and communication – this does not include any disrupted equipment in primary care organisations.

An estimated cost report was published by the Department of Health and Social Care in October 2018, despite an initial statement from NHS England that they would not compile a cost report. It estimates both ’direct impact’ (lost output of patient care) and IT costs to be in the region of £92 million. (Department of Health and Social Care, 2018)

6

1. 2.

3.

4.

5.

Policy Options

It is imperative that local systems remain on top of patches and security updates with minimal disruption to the routine operations of the NHS

All third-party suppliers, such as those who provide imaging units to the health service, should be party to a contract with standard terms for the maintenance of those devices

The NHS must develop a cohesive response plan and enforce a culture of collective responsibility, educating all sta↵ on the direct risks to front- line services and making sure they understand the fundamentals of good network hygiene.

Cybersecurity must become a key characteristic of patient care culture, rather than allowing organisations to become complacent with their stan- dards.

TheNHSshouldbeginroutinelycollectingdiagnosticdata-attackscannot be pre-emptively anticipated and having a dataset from which we can draw qualitative conclusions as to cost and impact will help the NHS to push for an increase in Cybersecurity funding for all organisations.

7 Conclusion

It is at this point worth noting that health-care is a uniquely vulnerable target in cyberattacks. The data collected is substantially more valuable than any

3

other (Sulleyman, 2017) and those responsible for the attack stand to gain both financially and politically. It is startling that the WannaCry attack was able to dismantle critical NHS systems and cause an extreme amount of disruption to the service without even targeting it specifically, in spite of it being a relatively unsophisticated attack.

While this report acknowledges there is no way to completely safeguard an institution from an attack, such situations are preventable through relatively simple tasks. Good network hygiene need not be any more than ensuring the timely installation of patches and maintenance of firewalls. In not following the recommendations sent to them by CareCERT notifications on 17th March and 28th April, all a↵ected NHS organisations exposed themselves unnecessarily to extreme risk. Higher standards of security must be implemented and maintained across the network before the introduction of the HSCN as the collateral risk is much higher.

Furthermore, should NHS digital require more funding that it is currently in receipt of in order to implement good network care, the WannaCry attack could have acted as a force for good if the proper data was collected and presented to ministers ex post facto. As there was none collected, there is a distinct lack of certainty as to how much funding is required and ministers can only fund prospectively.

8 Bibliography

Committee of Public Accounts (2018). Cyber-attack on the NHS: Conclusions and recommendations.

Coventry, L. and Branley, D. (2018) Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas.

Department of Health and Social Care (2018). Securing cyber resillience in health and care: Progress update October 2018

Mansfield-Devine, S. (2017). Leaks and ransoms – the key threats to healthcare organisations. Network Security, 2017(6), pp.14-19.

ESET Customer Advisory (2017). Vulnerability CVE-2017-0144 in SMB ex- ploited by WannaCryptor ransomware to spread over LAN.

Mayor, S. (2018). Sixty seconds on . . . the WannaCry cyberattack. BMJ, p.k1750.

Microsoft (2017). Security Update for Microsoft Windows SMB Server (4013389) Nakashima, E. and Timberg, C. (2017). NSA O cials worried about the

4

day its potent hacking tool would get loose. Then it did. Washington Post National Audit O ce (2018). Investigation: WannaCry cyber attack and the

NHS

Online Trust Alliance (2018). Cyber Incident Breach Trends Report. Review

and analysis of 2017 cyber incidents, trends and key issues to address.

Smart, W (2018). Lessons learned review of the WannaCry ransomware Cy-

ber Attack

Sulleyman, A. (2017). NHS Cyber Attack: Why stolen medical information is so much more valuable than financial data. The Independent

The WannaCry ransomware attack. (2017). Strategic Comments, 23(4), p.vii-ix.

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, Lessons Learned: 2017 NHS WannaCry Attack and Policy Options for the Future. Available from:<https://www.essaysauce.com/sample-essays/2018-11-15-1542289532/> [Accessed 07-05-26].

These Sample essays have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on EssaySauce.com and/or Essay.uk.com at an earlier date than indicated.