NHS ransomware cyber-attack was preventable

In a matter of hours, the NHS was effectively placed on lockdown with computer systems being held ransom and further machines powered down to prevent the spread of malware. Critical patient information has been inaccessible and several hospitals urged people to avoid accident and emergency departments, except in cases of real emergencies.

Ransomware is the form of computer malware that has infected the NHS. Typically, it encrypts user information and then demands payment before unlocking the information. In this case the ransomware demands a fee of US$300 (£230) payable in the crypto-currency, bitcoin, allowing the perpetrators a degree of anonymity.

British law enforcement have called it a criminal attack rather than one orchestrated by a foreign state. The British public can take some small comfort in this; criminal organisations are not as well funded and the malware may be easier to remove without the loss of patient files. It is too early to say categorically who is responsible for the attack though it is certainly the most devastating cyber-attack on British infrastructure ever.

But it is not just British infrastructure that has been affected by the ransomware. The Spanish telecommunications firm, Telefonica, was also attacked. There have also been a large number of other suspected attacks, notably in Germany, the Philippines, Russia, Turkey and Vietnam. A total of 99 countries have suffered from this attack so far. Whether this is as a result of a larger international criminal organisation is still unknown, however, the rapidity with which the infections are spreading is very concerning.

The attackers’ motive is perhaps clear: financial gain. Though if one looks beyond the relatively small demands of the ransomware, there is something larger at play here. Cyber-criminals will often boast of their exploits to others to gain a level of prestige among their peers. So, while we can often see money as the primary driver for this kind of attack, there may be other motives that will remain hidden.

Out-of-date systems and lack of training

The question of how this could have happened will be one that will produce several damaging reports outlining poor training and infrastructure. It has been clear for years that various NHS trusts have been lagging behind with upgrading their systems.

In 2016, Motherboard submitted Freedom of Information Act requests to 70 NHS hospitals, inquiring as to the number of machines owned that were still running Windows XP. An alarming 42 out of 48 respondents stated they still worked with machines using XP. This is made far more concerning by the official end of Microsoft support for Windows XP in April 2014. While funding to ease the changeover through extended support and eventual move to a more modern operating system was made available, there are still many NHS computers running Windows XP. This is putting the safety and privacy of patients at risk.

The UK government could improve this by providing better training. It is not immediately obvious to anyone that accessing personal information, such as emails, Facebook or Twitter, can have potentially damaging consequences. Opening a document from a friend, or a link through Facebook can be devastating if proper codes of conduct are not put in place. Something as simple as bringing in a USB (thumb drive) from your home to transfer large files from one computer to another could have the same effect, if the USB has been infected.

Modern anti-virus software and up-to-date operating systems can only do so much. It is therefore vital to invest more in cyber-security training for all staff working with sensitive information. This attack proves that the UK’s cybers-ecurity policy needs further work.

Conor Deane-McKenna does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond the academic appointment above.