Chronicle of a breach foretold: Lessons from the NHS data security meltdown

by Edward Cone

Shortly before last week’s wave of ransomware attacks we spoke with Dan Taylor, Head of Security for the NHS Digital Security Center. While our conversation preceded the widespread security breaches at England’s national health service, it may tell us something important about why the NHS found itself vulnerable to the global crime spree.

You might recognize similarities to your own organization in his description of the NHS. With data-security threats on the rise and ransomware itself widely available as a service, any such resemblance should be evaluated carefully.

Our conversation about the NHS was part of the research for The Global CISO Study, which included a survey of 300 senior security executives in six countries, along with in-depth interviews with Mr. Taylor and CISOs from two large financial-services firms, Allianz SE and Synchrony Financial. The survey results make it clear that the people in charge of information security are feeling insecure. Fewer than one in five CISOs say their organization is highly effective at preventing security breaches, over 80% are highly concerned that breaches are going unaddressed, and almost as many worry about their ability to detect breaches in the first place.

Data security is a massive, multi-factorial problem, and many issues contributed to the WannaCry ransomware crisis, including widespread use of pirated software and patching policies deemed by some to be extortionate themselves. But our talk with Mr. Taylor revealed serious concerns about security that the NHS is trying to address—and that may have already taken their toll. Some key takeaways:

1. Systemic issues trump threat awareness

At the NHS, the threat of ransomware was taken very seriously. The system had been hit by online extortionists in the past, and Mr. Taylor spoke to us of “exponential growth” in ransomware activity around the world. Yet it was not the specific nature of these attacks that had Mr. Taylor concerned, it was the level of preparedness across the sprawling health system for attacks of any kind. “Ransomware only prevails because it exploits general weaknesses,” he said. “The media sometimes get hung up on the actual attack vector itself. I think, actually, cyber preparedness is pretty much the key to fighting this.”

2. Basic methods can do major damage

The ransomware attacks reportedly spread via phishing emails—another area of concern for the NHS. With well over 1 million employees on email, the danger of a breach is massive. “When you've got that kind of threat potential, there's always the opportunity for phishing—spear-phishing particularly—to be quite successful,” said Mr. Taylor. “I do think spear phishing is becoming quite a big influence.”

3. Weak links are hard to hide

Mr. Taylor’s security function is tasked with providing guidance and assistance to thousands of organizations within the NHS, from major hospitals with substantial resources of their own to small offices without meaningful in-house support. “We may have sites that have fantastic security,” he says. But: “Including pharmacies and general practice, you've got somewhere in the region of 15,000 organizations and 1.2 million staff. You're always going to have weak links within that chain that could be exploited.” The NHS is working on an overlay of system-wide standards, training, and governance upgrades, but those things take time, money, and buy-in. “It's hard to make sure that staff have consistently updated training to understand the threats that exist within the growing landscape.”

4. Culture matters

“The NHS is not a mature digital information entity,” says Mr. Taylor. “The challenge for us is to move health and care to understand that information and data security in a digital world is a different risk profile than it is in paper records.” His goal is to make good data hygiene second nature—but doing that is a process, not an event. “If you want to change the way people think about data security, moving it into a culture, then we need to make it more situational. We need to get individuals thinking about what they can do to protect information, what their role is, and actually understand those principals in the workplace. You move to a position where people understand why it's important to look after data.”

Again, Mr. Taylor was speaking before last week’s attacks, and we do not yet have a detailed post-mortem on the events that caused so much havoc at the NHS and many other organizations around the world. But the issues he described to us could easily have played a role in the catastrophe—or could do so in the next one.

Speaking of the transformation efforts underway, Mr. Taylor told us, “In two to three years we'll be in a different place.” Unfortunately, as events have shown, nobody has that much time.