Last month, the city of Baltimore faced a cyber-attack paralyzing government computers and, at the same time, hospitals. However, this large-scale attack is caused by a virus that has already paralyzed thousands of computers around the world, particularly UK’s NHS public health service. Then, it is appropriate to come back to this case, to have a better understanding of this kind of cyber-attacks and prevent future ones.
What is the NHS?
The NHS – National Health Service – is the public organisation of health in United-Kingdom. In fact, it is made up of four independent system in England, Scotland, Wales and North Ireland. This public health service is born in 1948 to the following of the recommendation of the “Beveridge report”. It established a national system providing social and medical coverage for all citizens “from the cradle to the grave”. The NHS provides the majority of healthcare in UK, including primary care, ambulatory care, long-term care, ophthalmology and dental care.
Since 2010, the Lib-Dem and Conservative coalition have committed to improve the system and increase its budget. In 2012, the Health and Social Care Act initiated a fundamental transformation to make significant savings.
What is happened?
From 12 May to 19 May 2017 the WannaCry malware affected 300.000 computers all around the world including those of citizens, companies and public services such as the NHS which was the worst hit in the UK.
Indeed, Hospitals in some parts of the country were forced to cancel appointments and turn away people after the IT system crashed. Patients were being advised to going to Hospital only in case of emergency. Doctors and nurses were forced to return to pen and paper and even using their own mobile to call patients. Also, the attack left them without any access to medical records, to X-rays or any medical tests and details about the medical history of their patients (allergies, current medication, etc.).
This attack has been qualified by Europol “of an unprecedented level”. Finally, 81 NHS bodies were affected, which represents a third of the total bodies, and it cost the NHS £92m because of the cancelling of at least 19.000 appointments.
How works the attack?
WannaCry is a ransomware worm based on the phishing technic. It works as follows: the malware travelled from machine to machine and spread automatically by sending itself across corporate networks. When it has affected a new machine, it silently infiltrates the operating system and restarts the computer, then began to encrypt data to make impossible to read it without the decryption key. Then, victims can buy the key for about $400. The malware takes advantage of a flaw of Microsoft Windows.
The author of the attack might be the cyber-gang “Shadow Brokers” who revealed, a month earlier, a hacking tool stolen from the American national security agency (NSA) named “Eternal blue” which used the same flaw. The same one has been used for the Baltimore’s cyber-attack. An internal investigation made by the Britain’s National Audit Office in June concluded that North Korean actors could be behind the malware.
Why the NHS could have avoid the attack?
Despite of the fact that the NHS had “responded admirably to the situation”, according to the government, they had been unprepared and had could avoided the attack. NHS is the fifth largest employer in the world with 1.7m employees but its IT fleet is particularly dilapidated.
Indeed, NHS trusts didn’t upgrade their IT systems and 90 percent of them were still using Windows XP which is a 16-year-old system. Security experts alerted that this version of the software was particularly vulnerable. However, Microsoft issued a patch in March to protect users from the malware and NHS Digital gave critical alerts warning NHS Trusts to fix the exact bug in their Windows computers.
It generated massive critics in the public opinion and Meg Hillier (chairwoman of the public accounts committee) said that “the NHS need to get serious about cybersecurity or the next incident could be far worse”. Then, the Government had allocated a budget of £150m to improve its IT systems to 2020 and the NHS planned an upgrade of local computers to Microsoft’s Windows 10.
Theresa May, prime minister, said: “The National Cyber Security Centre is working closely with NHS Digital to ensure that they support the organisations concerned and that they protect patient safety”.
Why do we should worrying about our medical data?
Obviously, it is highly important to protect medical data as it affect the diagnosis and health of patients. In this case, hackers could have deleted the files and every encrypted data could have been lost. In addition, medical data is, in a lot of ways, very personal and could have a direct impact on social and work life of a patient. Then their protection should be strengthened.
But beyond of the data concern, Amyas Morse argued that “the WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients”. Indeed, people need to have confidence in the safety of their physical care insured by the Health public service.
Plus, “A cyber-attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat”. With the normalization of using machine on surgery and the increase of using connected objects in the workplace planned in the next decade, the damages of an attacks are more important than ever. In a global context of terrorism more attacks of this type are inevitable, experts warn about risks of a combined attack in two step: physical to injured people and digital to paralysed hospitals.
To sum up, lives are potentially directly at stake and that is why health services, more than any other entity, need to have the most efficient cyber-security system. And public organizations will undoubtedly be particularly vulnerable targets because they often maintain vital and sensitive information databases while having limited information security budgets and inadequate technological protection measures.
What is the legal framework?
The Data protection act 1998 (DPA) implemented the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free circulation of such data. Also, it repealed the Data Protection Act 1984. The latter had been the subject of a dispute over the transfer of personal data between Sweden and the UK which was one of the factors to implement supranational legislation in EU. The DPA 1998 devotes a special protection to “sensitive personal data” including medical data (art.2(e)).
Moreover, the General data protection regulation (EU) 2016/679 (hereafter ‘the GDPR’) changed even more the legislative landscape for data protection. Because this one came into effect before the end of the “Brexit process” and is directly applicable in the UK without changing the domestic legislation, it replace actual legal framework in the country. The UK Government is currently obligated to amend the DPA 1998 to bring UK law in line with the requirements of the GDPR. The Regulation protect sensitive personal data (art.9) and put strong responsibilities on the Data controller which means that NHS will have to improve its system and guarantee an effective protection of medical data.
After, and if, Brexit process succeeds, this is highly likely that the UK choose to keep a high level of protection to maintain good data trading relationship with EU. Plus, the GDPR art 3 provides that it applies more widely than European territory. Then, EU establishment or the localization of the processing in the EU is not required if data subjects of the processing are in EU. It is obvious that the data processed by NHS includes a large number of data from European citizens. At that point, NHS must surely comply with EU law even after the enter into force of Brexit and keep high protection of medical data to avoid a new cyber-attack of this type.
Laeticia Dimanche
Master 2 Cyberjustice – Promotion 2018-2019
