The WannaCry cyber incident was a global attack on an unprecedented scale. While it was not directly targeted at the NHS it had a major impact on health and care. We send out threat intelligence, remediation patches and updates that are released by suppliers on a regular basis, ranging from minor functionality changes to more fundamental security fixes. A security patch was sent out in March 2017 as part of Microsoft’s general monthly update.
In April, we received intelligence, making the link between a specific threat and the vulnerabilities the Microsoft patch addressed. We sent a bulletin via the CareCERT service (which organisations are encouraged to register to) to more than 10,000 security and IT professionals and managers with responsibility for local systems, to alert them to this specific issue.
Since the WannaCry incident occurred, there has been a collective focus across the NHS on strengthening resilience against cyber-attacks. We have taken the lessons learned from WannaCry and the feedback from frontline organisations to focus on improving speed of response, resilience, communication and knowledge in the event of a cyber-attack.
Progress has been made towards many of the recommendations from the reviews into WannaCry, and we will continue to work with our partners to implement them and support health and care providers.
About the Data Security Centre (DSC)
The NHS Digital Data Security Centre provides services to help predict, prevent, detect and respond to cyber incidents, threats and vulnerabilities, enabling organisations to use data and technology in a secure way to deliver safe and improved patient outcomes. Local organisations are accountable for their own cyber security and all staff have a part to play.
Support for the NHS
Weekly threat intelligence bulletins and alerts are sent to all of health and care identifying new and emerging threats, offering mitigation and remediation advice. We have introduced SMS alerting which is used to inform contacts that a major incident has been raised, and to signpost to the latest information and guidance on our website relating to the incident.
NHS Digital has carried out over 260 on site assessments identifying problems in local infrastructure which is followed up with on-site support to help fix any identified issues.
We are expanding our capability and capacity to support local organisations by launching an enhanced Security Operations Centre. This will deliver new security services to the system and significantly increase our ability to monitor local networks, providing health and care organisations with near-real-time threat intelligence on their infrastructure and reducing local monitoring costs. The new SOC will enhance existing services and as well as introducing the ability to proactively hunt for threats, perform regular vulnerability assessments across the sector and analyse examples of malware to help better protect all organisations.
A Customer Support Agreement (CSA) with Microsoft was signed in July 2017 to provide security updates to unsupported operating systems and launching Enterprise Threat Detection (ETD) to over 250,000 machines in the NHS, alerting them when an infection is identified.
NHS Digital and Health Education England e-Learning for Healthcare have developed data security e-learning which ensures staff across health and care are equipped to handle information respectfully and safely. This ensures they understand their responsibilities in handling information responsibly and processing it securely. 95% of staff have to undertake the mandatory training requiring an 80% pass mark.
The Data Security Centre also has published a knowledge repository with best practice, policies and guidance.
Microsoft Windows operating system licences with Advanced Threat Protection
The Department of Health and Social Care has announced a new centralised Windows 10 agreement which offers local organisations Microsoft Windows operating system licences, including Windows Defender Advanced Threat Protection (ATP). This is free of charge to local NHS organisations who agree to implement the ATP facility.
The contract will run for five years until 2023.
The ATP facility gives local organisations better cyber security protection. It is also linked into the NHS Digital Data Security Centre (DSC), which improves cyber security protection for local health and care communities, and the NHS as a whole.
Prior to the WannaCry incident, we had been working proactively to support trusts with their cyber security. The DSC has been inviting organisations from across health and care to participate in a free cyber security assessment to give their organisations an understanding of local vulnerabilities and potential security risks, and an action plan to help them reduce those threats.
We had conducted 113 assessments. This figure is now over 260.
To support Boards and leadership teams across the NHS to enhance their data security, we have been working with CQC to develop its key lines of enquiry on Data Security as part of their well-led inspections. We have aligned this to the Data Security and Protection Toolkit to ensure organisations review their position against a single set of requirements.
Data Security Protection Toolkit (DSPT)
The Information Governance Toolkit has been replaced by a new Data Security Protection Toolkit (DSPT) which launched in April 2018. Completion of the DSPT is mandatory for all NHS organisations. The toolkit has been designed to be easier to use and with a simpler format, in response to feedback from a wide range of users. It supports health and social care organisations to meet the requirements of the General Data Protection Regulation (GDPR), which comes into effect in May 2018.
For more information, and to access the Data Security and Protection Toolkit, go to: https://www.digital.nhs.uk/data-security-protection-toolkit
During high severity security incidents, we can send alerts and updates by using short message service (SMS) alerts, following a successful pilot. Contacts in Acute, Ambulance and Mental Health Trusts, Clinical Commissioning Groups and Commissioning Support Units can receive the alerts through this additional channel.
SMS will be used to highlight a security incident and signpost colleagues to the latest information from the DSC’s specialist team, who work closely with the National Cyber Security Centre (NCSC) during major incidents to analyse multiple intelligence sources and ensure that users are provided with expert guidance. The alerts are sent using the free government alert service, GOV.UK Notify.
The team is working with the National Cyber Security Centre (NCSC) to establish a collaboration forum of IT and security professionals in health and care who could share invaluable insights during a cyber-attack in a secure online environment. In the event of a large-scale incident, representatives from affected organisations can be invited to a closed group to discuss their situation in a private and secure setting, with the ability to receive intelligence that could not be openly shared.
Find out More
There have been three significant government reviews of WannaCry and the impact on the NHS:
- The National Audit Office (NAO) independent investigation into the WannaCry cyber incident on 12 May 2017.
- The Department of Health and Social Care’s Data Security Leadership Board commissioned the Chief Information Officer for the health and social care system in England, Will Smart, to carry out a review of May 2017’s WannaCry cyber-attack.
- A hearing by the Public Accounts Committee on the impact of WannaCry and response by the health and care system.