“I am glad we have been unaffected. I suspect Single Domain has enabled all of our Windows PCs to remain up-to-date with the latest patches.” Rishi Mannan, CCIO, Windsor, Ascot and Maidenhead CCG
“Many thanks for your efforts in what must have been a difficult weekend for your department. We appreciate your hard work in keeping us going.” The Partners and Staff of Close Farm Surgery
The recent cyber attack across the NHS resulted in significant disruption to local health systems and, as suppliers of IT services across a number of CCGs and NHS Trusts, SCW was at the forefront of the recovery response and protecting health and care systems from the May 2017 Wannacry cyber attack.
We currently provide IT services for more than 1,000 GP Practices (10% of the national total), 27 CCGs, four community social enterprises, two private community providers, an NHS hospital trust, an NHS mental health provider and a local authority. Our rigorous security patching policy resulted in minimal exposure and a more limited impact for these customers than for many other NHS organisations.
On 12 May, the new zero-day virus was detected in Spain at around 2.30pm and quickly spread throughout Europe and onwards across the world. SCW IT Services (ITS) along with other NHS organisations across the UK, detected infections in GP practices from around 3pm.
Within 30 minutes of initial detection in Spain, SCW’s cyber security service detected infections in local GP practices. Initially treated as a Priority 1 incident according, we soon escalated as it became clear this was a major cyber-attack. We implemented our full Business Continuity plan and deployed Bronze, Silver and Gold response teams. Our fully documented and tested IT Service Continuity Plan worked as designed. The command and control centre in our Taunton IT engineering and storage facility was available 24/7 and fully networked. Our engineering teams were able to work remotely and communicate using WebEx to share screens, voice and video, which were invaluable and all available on a single platform.
Recovery actions were rolled out immediately and over the next three days. These included contacting customers and keeping them informed, isolating IT services from the N3 network, applying software patches, and effecting ‘roll-back’ in 18 of the 878 practices we support – where infections had been detected. This lead to successful recovery of data at each site. There were no incidents reported across any of the datacentres that SCW supports. Somerset CCG rated our performance 5 out of 5 and recognised the benefits of recent IT infrastructure upgrades, a sentiment echoed by other organisations we support.
Our rigorous security patching policy resulted in minimal exposure and a more limited impact for our customers than for many other NHS organisations.
NHS England praised SCW’s response, particularly around how decision-making and regional control of status updates was coordinated centrally, and how local teams were kept suitably informed to enable them to take the necessary mitigating actions.
Following the Wannacry incident, we developed a report for system stakeholders that identified further actions and recommendations to improve future responses, which have now been implemented by SCW as follows:
shortening the software patch acceptance testing cycle taking into account the increase in risk that this creates
removing the ability for staff to indefinitely postpone the application of updates
standardising management tools across the estate so engineers need only contend with one platform in an emergency
reviewing investments in vulnerability and patch management software to assist operational teams
increasing checks on customer contact details – given challenges in contacting ‘on call’ customer staff
bringing all third party suppliers of IT services to SCW under one set of contractual terms to ensure response and access in the event of a business continuity incident, which was completed by the end of October 2017.