People are easily impressed by numbers, but will the UK government’s cybersecurity strategy be enough to safeguard the NHS from the next big malware attack?

The UK government has signed a deal with Microsoft to upgrade all NHS computers to Windows 10, as part of a strategy to boost resilience in the wake of the infamous WannaCry outbreak last year.

Some £60 million has been invested to improve cybersecurity weaknesses in the NHS since 2017, with the Department of Health and Social Security (DHSS) pledging to spend a further £150 million over the next three years.

This includes the setting up of a new NHS Digital Security Operations Centre to increase the ability to prevent, detect, and respond to incidents.

Breaking these figures down, a total of £21 million has been budgeted to upgrade firewalls and network infrastructure at hospitals, while £39 million has been earmarked towards addressing infrastructure weaknesses.

Costs for the Windows 10 upgrade project were not disclosed.

‘Less than £1 per inhabitant’

People are easily impressed by big numbers so it’s wise to view the cybersecurity revamp in the context of the overall NHS budget, security expert Martijn Grooten told The Daily Swig.

Grooten, a security researcher and editor of industry journal Virus Bulletin, explained: “It’s not a lot of money: £150 million over three years, given £136 billion annual budget and 1.6 million employees, in a country of 65 million people. That’s less than £1 per inhabitant per year, or a bit over £30 per employee per year, or 0.04% of the annual budget.”

Grooten highlighted three broad areas in need of improvement: Health service managers should ensure there is good insight into what is happening on the network; efforts should be made to ensure computers are patched and will remain patchable; and networks should be segregated so that machines that “really can't be patched” (such as older medical equipment) are isolated from malware outbreaks.

News of the upgrade plan comes just days after the NHS was criticized by MPs for failing to do enough to improve cybersecurity in the 12 months since the WannaCry outbreak disrupted the smooth running of one-third of the country’s public healthcare trusts.

While it did not specifically target the NHS, the impact of WannaCry on the health service was particularly severe and led to 20,000 hospital appointments and operations being cancelled.

A report by the Public Accounts Committee criticized the health service for a lack of cyber resilience testing or disaster recover planning in the run up to the “relatively unsophisticated WannaCry attack”.

Every one of the 200 NHS trusts audited thus far for cybersecurity resilience has failed an on-site assessment, the report revealed.

This failure was largely due to the high standards set, but in some isolated cases particular trusts had not even gotten around to the basic first aid of patching systems – the main reason why WannaCry spread in the first place.

Windows 10 to the rescue?

The Microsoft deal will allow NHS trusts to update systems to take advantage of the latest Windows 10 security features, such as Windows Defender ATP, which provides detection, investigation, and automated response.

Cindy Rose, chief executive of Microsoft UK, said: “The importance of helping to protect the NHS from the growing threat of cyber-attacks cannot be overstated. The introduction of a centralized Windows 10 agreement will ensure a consistent approach to security that also enables the NHS to rapidly modernize its IT infrastructure.”

Windows XP is still widely used within the health service, years after Microsoft withdrew support for the obsolete technology. Although continued reliance on XP was initially blamed, security researchers later determined that these machines crashed rather than spreading the infection.

The main culprit in spreading WannaCry was unpatched Windows 7 machines.

Public Accounts Committee Chair Meg Hillier MP said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.

“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment,” she added.

A step in the right direction

The inconsistent effect of WannaCry is partly explained by the widely differing polices, standards, and cybersecurity procedures in play across the hundreds of separate organizations that make up the NHS. Continued resilience on legacy technologies and tiny IT budgets were also a significant factor.

Rob Bolton, director and general manager of Western Europe at Infoblox, said: “The NHS faces significant challenges in securing its networks against cyber-attacks. Unlike more traditional enterprises, some specialized legacy equipment and software may not run on more modern releases.

“This has resulted in a slower shift towards more modern operating systems in some organizations, where there are concerns around potential disruption to ongoing patient care if these critical solutions were to be disrupted.”

David Harley, a former NHS IT manager who now works in the security software industry as a senior research fellow at ESET, told The Daily Swig that IT management in the NHS has been delegated locally.

“Historically, the NHS – or rather the Department of Health – has tended to delegate responsibility for endpoint security to sites, which aren’t always well-resourced financially or in terms of security expertise, while focusing its own attention on big projects like PKI [Public Key Infrastructure] and data protection,” he explained.

Most of the highly-publicized NHS security issues in the 21st century have been related to malware, and upgrading to Windows 10 will help security, without in itself being a panacea, according to Harley.

“It does sound as if someone has taken on board the need to move on from XP, but I hope they’ll realize that: a) Installing Windows 10 wherever possible is not the same as implementing a perfectly secure environment; and b) If the NHS still prefers to outsource its security, that it will be very careful about which services it outsources to which company, spending some of that money on finding good, impartial advice rather than being impressed by big names, big budgets.”

New healthcare threats on the horizon

Harley concluded that even a well-executed plan won’t stop breaches (which are nigh on inevitable) happening, but only limit their scope and operational impact.

A new attack group, dubbed Orangeworm, was recently discovered targeting the healthcare sector and related industries in the US, Europe, and Asia. The group has been caught planting a custom backdoor within large international organizations that include healthcare providers, pharmaceuticals, IT solution providers.

Orangeworm has been observed deploying a custom backdoor within large international organizations that include healthcare providers, pharmaceuticals, and IT solution providers.

The nefarious activities of the group illustrate the dangerous threat landscape the NHS operates within.

The Public Accounts Committee is calling on the DHSS to provide an update on the cost of WannaCry as well as a plan on “how to target investment appropriately in line with service and financial risks”.

The department and national bodies should work out how local systems can be updated while minimizing disruption to services; ensure all IT suppliers are accredited and that local and national contracts include standard terms to protect the NHS against cyber-attacks; and make sure local and national workforce plans include a focus on IT and cyber skills.