Retrospective: NHS, ransomware and technical debt

Retrospective: NHS, ransomware and technical debt

May 31, 2017

By: Ed Daniel, Solution Engineer, NSFOCUS

On May 15th, the NHS (UK’s National Health Service) suffered its single worst disruption to service in the history of the organisation. The disruption was due to a type of malicious software, known as ransomware, with the purpose of attempting to extort money from victims by encrypting their data, and offering to decrypt that data for a fee, a ransom no less, or lose that data forever.

Ransomware is not a new concept. Though it has been continually maturing to the degree that there are now Ransomware-as-a-Service solutions for criminals with no technical expertise to take advantage of.

So how does this happen? How can a critical national service become a victim of this? How can a customer of technology solutions be left vulnerable to exploits? Many questions have been asked in the wake of this event. However, will the answers to these questions actually make a difference?

To understand society’s challenge in the face of business interests, prerogatives, politics, and other issues relating to security, we might look back in history to understand what has to happen for things to ‘change’.

Quite often, the imperative to ‘do something’ only occurs when one of two things occur: people die in significant numbers or large sums of money are lost. History teaches us some important lessons, yet we continue to make the same mistakes. The 1965 publication of Ralph Nader’s journalistic exposé Unsafe at Any Speed claimed that many automobiles were unsafe to ‘operate’. This attracted the wrath of the automobile industry which then embarked on a dirty-tricks campaign to silence his voice. Instead, this drove Nader to increase his ‘activism’, challenge the establishment / government in the USA with impressive results that ended in major legislation being passed to protect citizens across a wide range of issues including Food Safety.

So, with the history lesson finished, what is taking place in the UK? Well things are not quite as bad as the Nader story, but there has been extensive debate on trying to place attribution of fault on a variety of actors in this event including:

  • the perpetrators of the ransomware attack,
  • the NSA who designed the software that weaponised the vulnerability in Microsoft’s products (which then got leaked),
  • Microsoft’s approach to legacy software support,
  • the NHS for
    • not applying best-practices in information security controls
      • where was the network segmentation? Why was the infamous NHS backbone network the main channel that distributed the malware throughout the NHS? [Herein certain trusts’ IT teams, on hearing of the outbreak, immediately disconnected from this backbone so as to avoid being ‘infected’ with the ransomware – see below],
      • why were routing ports used for SMB protocol communications exposed to the public internet!?
      • not patching / upgrading their technology assets, Microsoft did release a patch for currently supported operating systems several months before the attack took place,
    • not upgrading legacy software when funds were made available specifically for this task due to needing to invest those funds elsewhere in order to maintain their services to the public,
  • the vendors of healthcare information technology (such as MRI scanners) that were allowing outdated and unpatched software to run on their products (herein the fear security thought-leaders are trying to highlight with the Internet of Things) and only offering to upgrade if the NHS bought an entire new solution which was of course cost-preventative. Cash-strapped NHS trusts found themselves making pragmatic choices as the products were doing what they were designed to do and they ignored the risks,
  • and last but not least, the UK Government / Department of Health and Social Security.

Adding to the ‘noise’, stock prices of information security companies rose as much as 7% and simultaneously, marketeers began the process of ‘ambulance chasing’. The general media swarmed over the ‘event’, disregarding information security professionals’ privacy, sensationalising facts and spreading misinformation to one degree or another.

However, there were some positive events and outcomes following the attack.

Technology advances at a blinding pace and security continues to be an afterthought behind profit. Security by design and security first must be principles that industry adheres to. We’ve heard a lot about corporate social responsibility, privacy and data protection over the last few decades, ‘security’ must be a part of these initiatives. More so, if organisations do not evaluate the risk of technical debt and have mitigation plans ready to enact, then they will never be prepared for this kind of event. Not all NHS trusts were affected, some had already prepared for this.

As humans, we have an innate capacity to be stupid, we have or will do something stupid more than once in our lives. Without checks, controls and consequences how shall we protect ourselves? Looking back on history… until more people die, or more money is lost/stolen, we must ask at what point does our society take action and put in place legislative controls that embrace the entire ecosystem of critical technologies being deployed – instead of leaving us to play the blame game.