Shalen Sehgal explains how healthcare providers can prepare to handle the next WannaCry type incident, the GDPR implications and what steps can be taken to mitigate business disruption events
The WannaCry attack which took place in May 2017 was a global event, hitting 150 countries worldwide. But it was a particularly significant event for UK healthcare providers, with more than a third of NHS trusts in England disrupted by the ransomware virus which encrypted data on infected computers and demanded a ransom to release it.
According to a National Audit Office (NAO) report into the NHS handling of the event, almost 7,000 patient appointments were cancelled because of the attack, which was entirely preventable. The NAO found that NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software. An assessment of 88 trusts by NHS Digital before the attack found that none passed the required cyber security standards.
Although there was no evidence that any NHS trust paid a ransom to the creators of the virus, and NHS England claims that no patient data was stolen, the total financial cost of the incident is unknown. The hit to reputation and the disruption to normal business was certainly significant and the cost is likely to have run into several millions of pounds across the NHS.
In its response to the NAO, the NHS has already accepted that there are lessons to learn from WannaCry and it has promised to develop a response plan. The NHS will now ensure that critical cyber security updates, such as applying security patches, are implemented promptly by IT staff. And it is probably reasonable to assume that the NHS defences against this type of low-level attack will be much more robust than they were previously.
But the problem going forward is twofold. The first is that the NHS and its associated agencies comprise such a vast and disparate network, including thousands of hospitals, GP surgeries, dental practices and care homes, that rolling out administrative directives from the centre is always going to be almost impossible to police effectively.
The second is that the threat from cyber attack is a constantly evolving one and if a relatively low-level attack such as WannaCry could get through so easily, then more sophisticated attacks will pose an even greater risk. When well-funded commercial organisations like banks and telecoms companies fall to the cyber hackers then underfunded organisations in the public sector, over reliant on legacy IT systems, will remain at significant risk whatever steps they take. The only safe working assumption is that at some point your network is very likely to suffer a breach. This might be large or small but it will take place.
Sir Amyas Morse, NAO comptroller and auditor-general, said: “WannaCry was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
Given the highly sensitive nature of personal data held by health care providers, and the additional reporting requirements imposed by the GDPR in the event of a data breach since May 2018, then every health care agency must now raise their game in this crucial area and put in place incident response plans. A notifiable breach must be reported to the Information Commissioners Office within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Of course, cyber attacks are only one of a range of business disruption incidents to which health care providers are vulnerable. In fact, you might be surprised to learn that even though cyber attack is the top-rated risk for health and social care providers, it does not feature in the top three of actual events. According to the Business Continuity Institute Horizon Scan 2018, the top three actual business disruption events in the health and social care sector are unplanned IT and telecoms outages, adverse weather and interruption to utility supply.
What steps can be taken to mitigate business disruption events?
There are several steps that every organisation can take to prepare themselves for the kind of unexpected disruption that the WannaCry virus caused within the NHS. This way you can be ready for the event, even if you don’t know what it is going to be or when it is going to strike.
Make sure that you have a business continuity (BC) plan which is fit for purpose:
The health care sector is ahead of many other industries in having BC plans in place across the board, because of the demands of the regulatory authorities. This does means that the process is in danger of becoming something of a tick box exercise. Make sure that your plan is fit for use when an event strikes by creating a series of shorter action plans to fit each of your major threat scenarios. This will make it much more likely than it will be useful in real time when disaster strikes.
Make sure that your BC plan, and action plans, will be available to you under all circumstances:
Having a well written plan in place is absolutely no use to you if you cannot access it in an emergency because your IT servers have been taken out by the flood, fire or power failure. This is easily achieved by making sure that your plan is remotely hosted in the cloud on secure servers and can be accessed from anywhere on mobile devices.
Review your risk register to make sure that it covers all your possible threats:
Many risk registers are based entirely on past experience and cover only events that have already happened to an organisation. This is likely to leave you vulnerable to more unpredictable events. In addition to power outages, severe weather and pandemic, you should also consider the impact of a more unpredictable event such as a fire or a security incident.
Consider the benefits of a cloud based multi-channel communications platform:
An emergency communications platform is essential to successful incident management, but it is only useful if it is always available. This means that it needs to be cloud hosted. In addition, having a multi-channel system, with phone, e-mail, SMS and push notifications, means that stakeholders can choose which channels they prefer to use, and the message is guaranteed to get through to them somehow.
Make sure that you have a testing and exercising programme in place:
This should include a mixture of virtual, desktop and live tests and exercises. Having such a programme in place is standard BC good practice, is an emergency planning requirement for many NHS agencies, and greatly increases the chances of an effective incident response.
Shalen Sehgal is managing director of Crises Control.