NHS Still Learning From Wannacry Attack

Lessons are still being learned from the Wannacry malware attack which nearly crippled the NHS and is said to have cost £92m to rectify.

In December 2019, the Medical Device Coordination Group (MDCG) issued new guidance to manufacturers of medical devices to ensure they meet the cyber security requirements set out in both the Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).

Hackers behind the Wannacry attack took advantage of the outdated platform used by the NHS, which was no longer being automatically updated by Microsoft. Although security patches were being issued, these needed to be applied manually and were done few and far between on different devices.

Both the MDR and the IVDR stipulate that manufacturers should implement “state of the art” practices throughout the entire production cycle of medical devices. In addition, the regulations state that manufacturers must take into account principles of risk management including information security and IT security.

Although this information as it currently stands is only guidance, it gives a clear steer to those who work on IT, infrastructure and medical devices for the NHS. Outlining clear steps the NHS can take to prevent a repeat of the Wannacry disaster.

Two years may have passed, and since then Microsoft has removed technical support for Windows 7, which can have the potential to allow another group of cyber criminals entry into any organisation in any sector’s IT infrastructure.

No sector is safe from cyber criminals, who want to cause the most amount of disruption as humanly possible, and potentially walk away with some financial gain – although money isn’t always a motive.

This was evident in the ransomware attack which hit the financial organisation Travelex, on New Year’s Eve. The company are still attempting to recover from this attack weeks on.

Cyber security, doesn’t have a one size fits all approach. With hackers continually adapting their tactics to work around defences that software giants put in place to keep them out.

Ensuring your cyber defences are regularly updated and your employees know exactly what steps to follow if they notice anything suspicious, is vital in keeping cyber criminals out in the dark.