Could the NHS have prevented WannaCry?
It's time to get SMART
Often we see cases where the organisation gets impacted by an attack, ransomware being the most reported and prevalent cases right now, and afterwards we hear that the issue has been ignored or misunderstood advice or lack of visibility that the advice has been implemented comprehensively. This is not just about the NHS, as for example in the recent case of Equifax we heard afterwards that a security notification regarding Adobe Struts application had not been applied thoroughly. Often the organisation does not have an inventory of all operating systems and applications that need to be patched – which makes the challenging task of patching even harder – a robust patch management system would aid that. In the case of NHS, we do know that Windows XP systems were still in place and that Microsoft was no longer maintaining that operating system, so by continuing to use it the door was always open for an attack to be successful given that vulnerabilities are emerging all the time. One of the factors at the NHS though that we must consider is that some of the specific medical equipment being used was only every designed to run Windows XP – so in that case the options are limited. What could have been done better was the compartmentalization of environments that were known to be running older software so that if they did get impacted , the damage could be limited. This would have required internal firewalls and really mirrors best practices that have been adopted by more sensitive IT installations in the past. In the military for example, how alarming would it be if a weapon control system was compromised in the same way we hear a x-ray machine has been. Authentication measures that step beyond standard passwords and embrace multi-factor authentication are a positive step in the right direction in controlling access. Beyond the basic IT security measures that can be adopted, some of the more recent innovations around identity and access management need to be in place in the NHS.
Consider administrators and the high-level accesses that they have - without a privileged access management system in place there is no visibility or control over what they can do within an infrastructure but since they need that privilege to accomplish their tasks it has to be granted but only for a limited time to specific individuals and then it also makes sense to monitor that activity so if there are any subsequent problems they can be addressed intelligently. This measure provides a very effective safeguard for what is a foundational step in securing an enterprise – since if the security tools that protect us are open to abuse by administrators then we are in trouble.
We know that the security basics are important and the NHS cyber security strategy has focused on securing the wider enterprise having implemented core infrastructure security components such as Firewalls; Intrusion Detection and Malware prevention but it is now about ensuring their security coverage really stops this new wave of malware and enabling them to operate effectively.
With a people or “identity” focus they now need to be thinking more about the controlling mechanisms that provision and de-provision users. They need to become more pro-active and take advantage of new security tools. They require pre-emptive actionable insights to reduce risk before bad behaviours impact their business. This will also enable them to leverage operational efficiencies to address compliance requirements. They need to get smarter about risk. They need to be able to analyse identity data to prioritise decisions, actions, and thoroughly remediate risk. They can also then report back that a request to implement security advice has been put in place successfully. And as result they will be spending less in the process – and limiting the disruption of cancelled appointments and operations as well as the financial impacts caused by targeted attacks.
By getting SMART, they can achieve.
Security Intelligence – Enhances overall security efforts by accelerating the discovery of problem access and violations
- Actionable risk intelligence. Speeds entitlement remediation by offering clues as to where security and risk professionals should focus their efforts
Managed visibility – Empower security with visibility into potential risk factors
- Provides compliance and operational dashboards and reports based on user identity, access and audit data for quick review
Automation – Accelerate risk detection and increase analysis accuracy to better focus investigation efforts
- Accelerate the discovery of problem access and security violations. Prioritise compliance actions.
Reduced burden – Improve productivity and effectiveness through the identification of high-risk entitlement areas and organisation-specific risk weighting
- Reduce administrative time and effort spent troubleshooting and hunting for user access answers
TCO - Ensure efficiency improvements and reduce overall operational costs