Ransomware attacks in May 2017 brought down the UK’s National Health Service (NHS) for a week. Reporting on the incident, the NHS found that few Trusts – regional healthcare administrative units – passed the cybersecurity standards set by the agency. The board took the blame for the breach, and put protection at the top of its priorities. The board has now set a cybersecurity agenda for the Trusts to follow.
Ransomware attack shows NHS Trust vulnerability
NHS Trusts – regional healthcare administrative units – were left vulnerable in a major ransomware attack in May because cybersecurity recommendations were not followed, according to a report by the UK National Audit Office released on 27 October 2017.
More than a third of trusts in England were disrupted by the WannaCry ransomware, according to the report. At least 6,900 NHS appointments were cancelled as a result of the attack. At least 595 GP practices were affected and 19,000 appointments cancelled, including 100 that were cancer-related, according to the auditors. The NHS has been unable to calculate the cost of the massive attack, which also hit 150 other countries, but analysts said it must run to the millions of pounds.
An assessment of 88 out of 236 trusts by NHS Digital before the attack found that none passed the required cybersecurity standards. The agency’s board found that most NHS computers were running the outdated Windows XP operating system, and that patches to fix vulnerabilities had not been applied as the agency’s cybersecurity arm, Digital Health, had directed.
A plan had been in place, but it had not been communicated or applied by the Trusts.
“When disaster struck, nobody seemed to know who was in charge or what to do,” explained Digital Health Head of Enterprise Architecture Inderjit Singh.
“Board Members must act to prioritise cybersecurity”
Speaking on 8 December 2017, Singh said that there must be a unified front on cybersecurity from NHS board members for there to be any meaningful change following WannaCry. “Moving cybersecurity to the top of board-level agendas should be the focus of the NHS’s efforts in building technical resilience.” He warned that failure to do so “would guarantee a repeat of the events that crippled NHS services in May.”
See how Diligent’s product suite can help make sure that cybersecurity is a topic being discussed within your boardroom.
Key to this is moving the cyber conversation from being an IT issue to one concerning leadership, said Singh. “WannaCry brought home the fact that this is a business continuity issue, not a technology issue. It has front-line implications for services, and front-line implications around disruption to services. In terms of board-level engagement and conversations around cyber, we need to drop the term cybersecurity and talk more about business continuity.”
Planning: Boards and Network
Singh highlighted the need for the NHS to create cyber-leadership roles across the organisation and establish better communication between departments.
“This is an area that has significant immaturity at all levels: regional, national and local. We need to take a system-wide approach around this,” Singh said.
“We want to create a network of leads who can talk about best practice and when issues are arising, and share that knowledge and understanding. At the moment, it feels there are people taking on those responsibilities because there aren’t other people to do that…For the board, this is where the biggest gap and effort is required.”
A report by the Chartered Institute for IT concluded that NHS Trust Boards need to be equipped to ask whether there is an appropriate cybersecurity plan in place and working, and they need to know who at the Trusts will take responsibility for it.
“And those who are asked need to know how to answer. If this is in place, we have a system that works. We do not believe that this is controversial or at its heart a politically differentiated matter, but a simple case of professional collaboration,” the report says.
According to the report, by the end of 2017, the NHS would have defined the role of NHS organisational boards across the UK, and IT/cyberprofessionals in the NHS, what they can expect from each other, and what the public can expect of them. This will result in clear standards of practice for NHS organisations’ boards, as well as standards for accreditation of relevant professionals to deliver for boards. There will also be a public and professional consultation on the above, to ensure it meets the needs of other health and care professionals and the general public.
Erik Silfversten, a healthcare industry analyst at RAND Europe, proposes a strategy for the NHS to protect effectively against cyberattacks.
“The central coordination and preparation to deal with cyberattacks need to be translated into local resilience. The NAO report noted that the NHS at a central level and the Department of Health were relatively [well] prepared for a severe attack, but local trusts and bodies were not. There was also confusion about the roles in dealing with cyberattacks at a local level. NHS Improvement and CQC can mandate local NHS bodies to improve their performance, but neither is primarily concerned with cybersecurity or IT. In contrast, NHS Digital provides cybersecurity advice and guidance, but cannot mandate local action, even in the presence of a confirmed vulnerability or threat.”
Finally, effective crisis communication processes need to be in place, Silfversten insists. “The absence of clear processes amplified the impact of [the] WannaCry attack, with different local NHS bodies reporting the attack to different authorities including the police, NHS England, NHS Digital and the National Cybersecurity Centre.”
Diligent Boards provides the highest level of security
Protection against attacks and threat detection are an intrinsic part of Diligent Boards.
A world of governance and IT knowledge informs the security behind Diligent Boards, Diligent Messenger, Diligent Evaluations and Diligent D&O. Data is hosted on secure servers and a world-class infrastructure that Diligent owns and operates. All of Diligent’s solutions are ISO and TRUSTe-certified and internationally audited, with robust customisable encryption and data access. If a device is lost or compromised, our remote wiping capabilities allow you to swiftly mitigate risk.
July 29, 2021
What Technology Issues Are Boards and Governance Leaders Facing in 2021?
Discover the biggest technology challenges faced by board governance leaders in EMEA during 2021, where progress is being made and the solutions to where it is lagging.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…