NHS cyber attacks – preventing and handling ransomware – Cyber security updates

As widely reported in the media, there has been a significant wave of ransomware attacks against a large number of NHS bodies and their access to data held on computer systems. NHS Digital has stated that it is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.

Ransomware is an increasingly prevalent threat, with a rising number of variants designed to target corporate networks. In spite of this, there are many pragmatic steps which organisations can take to reduce the likelihood of incidents, limit their impact when one does occur, and to recover swiftly and effectively. These span several aspects of IT operations and security, and primarily relate to:

• Robust business continuity planning and exercising and the ability to restore systems rapidly from backups;
• Crisis and incident response planning and exercising to ensure incidents are managed and resolved swiftly;
• Strong security hygiene policies and user awareness to prevent ransomware entering your IT environment through both technical controls and vigilant employees; and
• Rigorous patch and vulnerability management ensuring you make effective use of work already done to address vulnerabilities.

Priority recommendations for management and IT colleagues to consider, subject to also considering the operational impacts of making these changes, are:

• Provide your desktop and server IT operations teams with all the support they need to rapidly deploy Microsoft’s April and May security updates, along with MS17-010;
• Accept that addressing issues may require temporary disruption to some IT services as additional controls are implemented and vulnerable services disabled. For example, disabling the SMBv1 protocol and the ability to execute unsigned macros in Office documents, and enabling two factor authentication for all external access to systems (e.g. VPN and RDP).

PwC never recommends paying a ransomware – unless there is a threat to life. Doing so fuels the ransomware economy, funding development of additional ransomware techniques and campaigns.

For any enquiries on how to best prevent or address ransomware or other cyber attacks, please contact: breachaid@uk.pwc.com

We have released a report to PwC customers containing more technical detail and recommendations about this ransomware. Please feel free to email us at threatintelligence@uk.pwc.com and we will be happy to send you a copy.