Simple solutions to NHS cyber-attack are not reflective of reality – Deloitte

  • 19 May 2017
Simple solutions to NHS cyber-attack are not reflective of reality – Deloitte

Simple solutions to the huge cyber-attack that caused chaos in the NHS last week do not reflect the complex reality on the ground, says a Deloitte director.

Bryan Hurcombe, head of public sector cyber practice at Deloitte UK, said that answers such as lose legacy IT systems, secure by design and patching are not easy to implement.

Speaking at a Westminster eForum Keynote Seminar on cyber security, six days after the NHS cyber-attack, he said: “I think we need to talk about the reality of the situation and give ourselves a bit of a break”.

On legacy systems, Hurcombe said that “it’s not just a case of lifting and shifting them, these are deep in the heart of organisations and it takes time”.

The global cyber-attack, which has been attributed to a form of ransomware called ‘Wannacrypt’, exploited a known vulnerability in Windows XP.

Questions were raised over the weekend on why the NHS proved so vulnerable, with suspicion pointing at legacy IT systems.

Hurcombe said, “you’re absolutely right, we should get rid of legacy IT but it’s just not that simple”.

He also said that patching has been touted as the answer and  “we should patch, it should be done, it’s just not easy to do”.

“I think that needs to be our key message – we get this, we understand this, we know it needs to be done but actually it’s really quite complex and takes time.”

The patch for this vulnerability had been released by Microsoft in March this year, and the company defended its role in the cyber-attack by laying the blame at the National Security Agency’s door for “stockpiling” the vulnerabilities.

He said that while everything should also be “secure by design”, legacy IT was never built to be secure.

“In the public sector we really struggle to find the right talent to help us implement secure by design principles”.

Hurcombe compared the virus to a worm called CodeRed in 2001, which he said the FBI had credited with “almost breaking the internet” and costing $2.75 billion in clean-up costs.

Digital Health News published a guide on how to protect yourself from ransomware and a dissection of the weekend’s events.

Hurcombe concluded: “I think what can’t happen again is in the public sector, we can’t ever be accused again of not getting the basics right”.

Some trusts, prior to Friday, had openly admitted to not covering the basics.

One of the worst hit trusts, Southport and Ormskirk Hospital NHS Trust, had published in its board papers just days before the attack that “the trust does not have plans in place for what to do in the event of a cyber security attack”.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Cyber attacks on critical national infrastructure predicted to increase

Cyber attacks on critical national infrastructure predicted to increase

Mark Edwards, CISO at Digital Health and Care Wales has warned that cyber attacks on critical national infrastructure are likely to increase.
EHR system restored at Ascension following cyber attack

EHR system restored at Ascension following cyber attack

US non-profit health system Ascension says that its electronic health records system has been restored across following a ransomware incident in May 2024.
NHSDG warns 150,000 patients to assume data has been published

NHSDG warns 150,000 patients to assume data has been published

NHS Dumfries and Galloway is warning around 150,000 patients to assume that their personal data is likely to have been stolen and published online.

4 Comments

  • If anyone can answer my questions about NHSbuntu then we might be happy to look at it.

    1. How suitable is this for an acute hospital running around 500 applications without a virtual desktop solution?
    2. Is there a Linux SSO product that can be used across all software applications, by this I mean not just a simple solution that works with Web applications or AD authentication, a product similar to Imprivata.
    3. Where do I find engineers with Linux experience, must have looked at 200 CV’s over the past 6 months and not one had Linux experience listed, especially in an enterprise environment.

    So NHSBhuntu might be suitable for a GP surgery but until you can address all the above issues then it will only be NHSBunkum for Acutes.

  • Hhmmm – we need to be wary of people with stuff to sell.

    You have to ask why we have not transitioned the thousands of desktops to a standard imgage of something like http://www.nhsbuntu.org .

    Doing this would give people what they need, ensure standards compliance, enable the desktop to be locked down tight and would prevent the planned obsalesence that takes so much time and energy for perpetual expensive upgrades.

  • Well said Dan
    “The global cyber-attack, which has been attributed to a form of ransomware called ‘Wannacrypt’, exploited a known vulnerability in Windows XP.”
    This is not the case, really. The ransomware exploited a hole in the Windows operating system. A patch was made available a few weeks ago to fix this, but that patch would largely have not yet been applied. It is true that XP was not patched until last week, but there is no evidence to say this was an XP based attack, or that more XP than anything else was infected. Added to this, the ransomware probably gets onto machines in the first place by traditional ransomware means ie an email. The patch does not fix this on XP or Win 7

  • I think we need to stop calling it an NHS It attack. This was a worldwide Cyber attack which in the UK those hospitals impacted got a lot of publicity but it also impacted Nissan Car Plants or German Railways or Russion Ministry of Interior.

    What has had less publicity is that there 150 or so Acute Trusts manging hospitals in England, with different systems in the other 3 countries. 15-20 were impacted initially and 3-5 were impacted so seriously that there is still an impact over a week later. So well done to most of them for putting good security in place.

    One of the problems of patching is that a lot of the IT is actually embedded in medical equipment, it is a risk not to roll out the patch straight away, There is a risk in rolling it out without testing the impact on the performance of proprietary software supporting specilist equipment.

    Driving out XP is easy for basic office type functions, buying expensive specilist equipment were the control software was designed to only run on XP and all potential bidders for some contracts are still offering equipment with XP embedded as the most modern available as at 2017, what is a hopital to do?

Comments are closed.