Poor Reporting of the NHS Cyber Attack

Dude, it’s Friday evening. I don’t want to think about computers again until the weekend’s over. But I was reading some reports of the “NHS Cyber Attack” which happened this afternoon and there’s a lot of misleading information flying around. If you work in IT, like I do, you can see through it. But the way this seems to have been reported by the mainstream media has been a bit misleading and, dare I say, scaremongering.

This is caused by two things, first of all the NHS probably don’t want people know what a stupid and avoidable mistake they made here, one which will cost them more money than I’ll ever see in my lifetime. Secondly, every time a tech story is too big to be hidden away in a tech column, societies general lack of IT knowledge tends to shine through. Unfortunately, that can be a bit scary and confusing for punters on the street. The good news if you’re reading this is my job is managing a team who are expected to explain IT issues to people with little to no IT knowledge. I like to think I’m pretty good at it so, here we go.

What is a Cyber Attack?

I don’t know, but it sounds good doesn’t it? It sounds someone in a darkened basement in Siberia, lit only by the glow of his computer screen, spent several hours toiling over the code before finally, he was in! The NHS mainframe… but no that’s not what happened at all. This was ransomware.

What is Ransomware?

Short answer, it’s a nasty virus. There’s a number of ways they can find their way onto your computer, from a pop-up on a dodgy website, a link on a weird email or a questionable attachment. Next thing you know, your screen has been locked down, a window has come up asking you for money and you can’t get rid of it.

This is a relatively new type of virus, usually they act like you’d broken a law and that the GCHQ or police has seized control of your device and won’t give it back until you send them some bitcoins, an untraceable online currency, to stop them from pressing criminal charges. If you aren’t experienced then this could spook you into paying up in the heat of the moment but… it doesn’t make any sense in the cold light of day.

Normally these viruses will also claim to have encrypted all of your documents in a further attempt to scare you into meeting their demands, but that doesn’t happen by and large. The people who make ransomware are opportunists, it’s like a game of poker. They don’t actually have control over your computer, they just want you to believe they do so you give them money. They have no interest in ruining your computer, all they want is the cash. So if you’re worried that patient data has been compromised in this “attack”, there’s no need to worry. That’s not what they’re here for.

Isn’t This What an Anti-Virus is For?

Yes. When you’re browsing the web, your anti-virus will identify and nullify threats before they get a chance to cause any damage and will also fix anything that gets through the cracks. For an organisation, it’s a little bit trickier. All the devices an organisation own will be connected together, this is how you’re able to access shared documents and that sort of thing. So if a virus takes hold of one computer, it can multiply and spread to all the devices on the network. Organisations will still have anti-virus systems of course, and they’re generally more robust, but something getting through the system will have more devastating consequences than it would do on your home computers.

So What Happened to the NHS?

I don’t work for them so I can’t say for sure. Here’s a list of probable events and how they could’ve been prevented:

  1. A member of staff opened a dodgy attachment from an email.
    • Better spam filters would’ve prevented the email getting through. (Note that it’s impossible to make a perfect spam filter, but I have no idea how good the one the NHS have is, so it’s worth mentioning)
    • Better staff training would’ve given the user the ability to identify an malicious email. (If in doubt, call IT. It’s not worth the risk)
    • Anti-virus should have scanned the attachment before the user received to confirm if it contained a virus. (As above, it might not have been from an email attachment, but it normally is)
    • The user should not have had access to make high level changes to their computer. This should have never progressed beyond point one of this list. But it did.
  2. The first computer was infected.
    • There should have been some form of active monitoring in place to identify the thread and remove the infected device from the network.
  3. The virus spread.
    • The “patient zero” computer shouldn’t have been connect to any more devices than was necessary in the first place. A virus spreading to multiple devices in one office is almost understandable, but how did it get to various hospitals and clinics up and down the country?

How Did This Happen?

Again, I don’t work for the NHS but I can only speculate. A lot of people online have pointed to budget cuts within the NHS, while giving the service loads of money would have enabled them to hire more staff and procure better software, I think that’s a bit of a cop out. Austerity cuts haven’t just hit the health service; councils, police and fire services have also been faced with smaller budgets and have largely managed to adapt. The issue is the smaller budget leaves very little margin for error.

The NHS had the resources to fix these issues before they became a problem, but they didn’t see it as a priority because the people in charge of the money don’t really understand how IT works. Nobody outside of IT ever thinks about IT until it all goes wrong and guess what? The more your organisation relies on computers, the deeper the hole you’re digging for yourself when it all eventually goes wrong.

So, if anyone important is reading this, make sure you continuously invest in IT, I’m not just talking about buying the latest computers here either. Spend money to hire better IT staff and invest in training for your users too. As time move on, most companies rely on IT to keep everything ticking along. You should, it’s a huge efficiency saving. But if you don’t keep investing, eventually something will go wrong and your house of cards will fall.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: