Lessons from the NHS: A bitter pill to swallow

healthcare security breach

The WannaCry cyber-attack, which took place earlier this month, has made headlines all over the world over in recent weeks. Already documented as the biggest ransomware attack in history, the hackers shut down IT systems worldwide, with a staggering 75,000 attacks in 99 countries. However, of those impacted, the organisation which has been given the most media attention is, undoubtedly, the NHS.

On Friday 12th May, medical staff across the country ended their week to find a ransomware note from hackers stating that all files would be deleted unless a bitcoin ransom was paid. Surgeries, health centres and hospitals across the UK were left unable to access computer files and patient records, resulting in cancelled operations and appointments, not to mention mayhem amongst staff and a media frenzy.

Members of the public have been reassured that the hackers did not manage to get their hands on any sensitive information. But considering the moral duty of health organisations to protect patient data from serious breaches in the first place, you would expect healthcare to be better at avoiding such threats. With so much personal and important data at risk, what can be learnt from this hack and what could have been done to prevent it?

What went wrong?

Unlike many high-profile hacks, the attack against the NHS is unlikely to have been caused by a malicious phishing email. Instead, it is believed to have spread through the Windows Server Message Block SMB protocol, a system used to share files between computers. This system is usually used on closed networks, but it is thought that a hacker gained access and caused such havoc by a computer going online from a public network.

According to our Healthcare Compliance Report, the value of a healthcare record is seven to ten times greater than a credit card record. This is because protected health information (PHI) has a longer “shelf life” than traditional financial data, and it can provide a unique view to a population for foreign governments.

Fortunately, in this instance, the juiciest data, such as patients’ medical records, addresses and dates of birth, was kept safe…this time. But it could have all been very different. The importance of the information the NHS has on record cannot be underestimated. The data held by the healthcare industry is highly confidential and includes details on every birth and death, every immunisation, basically every interaction you’ve ever had with a medical professional.

Had the hackers succeeded in stealing, or even deleting thousands of medical records, it would have been catastrophic. Not only would it have damaged the NHS’s reputation and potentially result in numerous lawsuits, there are clearly negative implications for the rights of patients and customers.

Ensuring a clean bill of health for IT systems

Our research shows that across three of the US and UK’s most heavily regulated industries (legal, financial and, you guessed it, healthcare), 43% of employees did not receive IT training upon joining the company and 40% of companies did not even have a documented IT security policy to speak of. These naïve and irresponsible approaches to securing sensitive data speak volumes about how easy it was for hackers to access the NHS network.

Although the stakes are arguably higher when it comes to securing data within healthcare, every industry is similar in one sense. Because employees in any business are human, and therefore prone to making errors, having an updated IT security policy in place and effective training for every member of the team is essential.

But creating a culture of safe IT practices amongst everyone in your company is not enough. As the recent hack on the NHS shows, it isn’t always an incompetent or ill-prepared member of staff who opens up a company’s data to hackers. Context-aware technology complements the human aspect of security, by prohibiting poor practices to happen in the first place.

Context-aware security uses information other than valid log in credentials to decide whether access is genuine or not. This could come in the form of the time of day the attempted access is taking places, the user’s geographical location or the device being used to access the files. That means that, had the NHS implemented this technology, it would have recognised that an external, public computer was attempting to access sensitive files and folders and automatically refused this user access. Granular access rules such as this mean the network remains protected in real time, at all times.

No single security policy is perfect, but by finding a balance between user education and technology, the NHS’ IT team could have significantly reduced their chances of being part of this huge cyber-attack. Tools such as UserLock and FileAudit enable greater control for admins and completely restrict various careless user behaviours, as well as encouraging good behaviour through alerts and notifications. Just what the doctor ordered.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.