The United Kingdom has committed $27 million to a cybersecurity unit tasked with preventing the recurrence of hacks that knocked medical devices offline in May. Health chiefs will use the cash to hire ethical hackers to break into NHS computer systems and fix the vulnerabilities they expose, The Times reports.
Officials made the money available for cybersecurity at a time when the healthcare system is being made to work with a budget that is smaller than that request by its leaders. That prioritization of spending on cybersecurity at a time when cash is constrained reflects the importance the U.K. is placing on digital defenses in the wake of the WannaCry ransomware attack, which hit medical devices and other connected technologies at one-third of NHS hospitals in England in May.
Having been criticized for maintaining vulnerable systems running on Windows XP and failing to mount a coherent response to WannaCry, the NHS has put out its biggest cybersecurity contract.
The $27 million IT contract will fund the creation of “a national, near real-time monitoring and alerting service that covers the whole health and care system.” Such a service would centralize these aspects of cybersecurity, rather than leaving the tasks up to individual hospitals.
Officials are also looking to the contract to beef up other aspects of cybersecurity.
“The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities,” NHS Digital told The Times.
“It will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats.”
The ethical hacking aspect of the operation will task people with trying to break into NHS systems, starting with the central NHS Digital infrastructure and expanding to individual hospitals upon request.
Planned proactive testing of the digital defenses contrasts sharply with prior NHS’ practices. People inside the NHS and beyond knew it continued to use vulnerable operating systems in the run up to the WannaCry attack. But, as the National Audit Office (NAO) found it its report (PDF), the healthcare system lacked a formal mechanism for assessing whether hospitals had patched their technologies.
The WannaCry attack hinted at how many devices remained vulnerable.
“As at 19 May 2017, NHS England had identified 1,220 pieces of diagnostic equipment that had been infected, 1% of all such NHS equipment. Although a relatively small proportion of devices, the figure does not include devices disconnected from IT systems to prevent infection,” the NAO wrote.
“The trusts we spoke to told us about the disruption they had experienced due to diagnostic equipment being infected or isolated, such as not being able to send MRI scan results to clinicians treating patients in other parts of the hospital.”