Autumn Newsletter - Flipbook - Page 9
Did you WannaCry?
Data security revisited, Joanna Protopapas
We all know that good information governance provides a
solid framework for any organisation to ensure that
business-critical information is handled legally, securely
and efficiently. In the NHS, delivering care relies heavily
upon a wide range of information: from patient data to
rostering and beyond, both paper and electronic data is
crucial to provide high quality services. The lack of
availability of this information will inevitably have a
serious impact on patients and their families.
This is where Information Governance and Information
Technology go hand in hand - no investment in IT
systems would completely prevent this type of attack
from spreading if the staff within the organisation lack
understanding of such basic threats. Information
governance isn’t only about keeping patients’ data
secure and making sure that identifiable details are
accessed by authorised personnel only. It is about a
whole-scale approach to minimising risk.
In May 2017 the NHS, as well as hundreds of other
organisations globally, were targeted by WannaCry
ransomware cryptoworm, a data encryption and ransom
virus. This unprecedented attack exposed serious gaps in
the NHS IT infrastructure and a fifth of all NHS Trusts
were affected in some way. At least 14,000 appointments
and 850 operations were cancelled as a result. It is now
known that the attack was entirely preventable. The
National Audit Office when investigating the aftermath of
the attack, found that the virus was relatively
unsophisticated and could have been prevented if NHS
organisations were following the basic IT security best
practice.
Some IT experts blame the government underspend on IT
in the NHS as it is now known that the virus took
advantage of the fact that some organisations were using
a ‘retired’ Windows XP operating system that has not
been supported by Microsoft since 2014. However, this
only tells part of the story as a key contributing factor was
human error. Ransomware attacks, as well as other
computer viruses, often spread via e-mail by a technique
called ‘phishing’, which tricks the recipient into opening
attachments and releasing malware onto their system.
IT experts also suggest that blocking all internet access,
or, blocking e-mails with attachments sent directly to
NHS mail accounts would eliminate the possibility of an
employee accidentally releasing the virus into the system.
Neither of these options are going to eradicate the risks of
human slip-ups completely. In 2010 a malicious worm
called Stuxnet attacked a nuclear plant in Iran, causing
serious damage to some of its systems. The plant was
not connected to the public internet in any way and it is
believed that the worm was introduced to the systems via
infected removable drives such as USB sticks.
The U.S. Department of Homeland Security tested how
hard it would be for hackers to corrupt workers and gain
access to its computer systems. A number of computer
discs and USB thumb drives were dropped in the car
parks of government buildings. Of those who picked them
up, 60 percent plugged the devices into office computers
(Wired, 2011).
Good information governance systems should consist
of a number of controls and measures, such as
policies, procedures, risk assessments, staff training,
audits and regular reminders. These measures should
offer the management sufficient assurance that the
organisation’s information assets are protected from
threats, whether internal or external, deliberate or
accidental and that the staff understand the risks of
inserting a USB stick found in the office car park into
their work computer.
In every organisation, information security systems are
like a chain - only as strong as the weakest link. It is
crucial to get the basics right – investment in strong IT
systems is worthless without good information
governance and vice versa - achieving accreditations
such as ISO 27001 or IG Toolkit makes no sense when
the IT structure is dated and patchy. For many Trusts,
poor IT and information governance concerns are often
lost amongst other, more pressing issues. However,
this approach will now have to change. The WannaCry
attack has proven how poor IT can have a direct impact
on care and patient experience and it is almost
guaranteed that this is not the last attack of this kind.
9