Welcome to NBlog, the NoticeBored blog

You don't need eyes to see: you need vision

May 13, 2017

NBlog May 13 - health service ransomware incident

Reading between the lines a bit, it seems to me that despite the scary headlines the security controls have worked on the whole: as initially reported, the ransomware has had limited effects on a relatively small number of UK National Health Service sites. 

Without adequate information security, it could have been much worse.

The NHS is huge and complex, with lots of interconnections and interdependencies between lots of IT systems (patient records, diagnostic systems, booking/scheduling systems, life support systems, things ...), many of which are critical, across lots of sites, businesses and departments, used and managed by lots of people ... so a virulent worm carrying ransomware must be a huge threat. The vulnerabilities are obvious (well some at least!), as are the impacts, in other words this is a significant risk.

It’s another nice case study in the making, useful for anyone struggling to convince management of the need to pay attention to information risk management and invest in appropriate security controls – not just against ransomware specifically or malware, but in general. Basic security controls such as frequent, reliable offline backups, proactive security awareness, slick incident response and business continuity arrangements are our Swiss army knives.

For NoticeBored, a case study based on the NHS ransomware incident would form a bridge linking several recent security awareness topics (e.g. email security this month, plus malware in March and Internet security in January) with next month's topic, IoT security. 

Major incidents that are widely covered by the mainstream media and news outlets are like awareness dragnets, snagging workers with very low levels of security awareness and little understanding or interest in information security are hard to engage with by conventional means. Headline incidents that catch their attention, even fleetingly, give us opportunities to explain and expand a little on the information risk and security angles, firing up their imaginations and reinforcing the point that we're not just doing this stuff for the sake of it. There are real-world consequences to incidents, some of which affect them personally, plus their families, friends, colleagues and employer. 

Regards,
Gary (Gary@isect.com)

UPDATE: reports are still coming in as I write this. Seems the incident is not limited to the UK, with health services in around 100 countries also affected.