While the additional £150m spend by the NHS on the Custom Support Agreement with Microsoft is a step in the right direction, this is very much the start of a very long road ahead. Coincidentally, this comes shortly after it was reported that 200 NHS trusts failed on-site security assessments. And with the GDPR deadline imminent, it raises questions as to how much more money will be required in order to move the NHS to a more mature and proactive security posture.

While upgrading the NHS to Windows 10 will of course reduce the attack surface, we have all seen in the case of WannaCry that versions of Windows from XP as far up as Server 2016 were all impacted by WannaCry due to the Server Message Block (SMB) protocol remote code execution over SMB version 1 vulnerability. In addition, newer strains of ransomware have emerged since WannaCry that use sophisticated techniques to successfully infect victim organisations. SamSam ransomware has recently crippled various healthcare and government-run organisations by exploiting undiscovered bugs, as well as deploying a brute force attack on weak passwords used by the Remote Desktop Protocol (RDP). PlugX ransomware has also targeted the healthcare sector, which makes use of weaponised email attachments, such as PDF and Microsoft Word documents.

Not forgetting the fact that we have already seen advances since WannaCry with weaponised Microsoft Word documents using Dynamic Data Exchange (DDE) exploits, as well as fileless malware that often leverages 'living off the land' tools such as PowerShell, Visual Basic Script and Windows Management Instrumentation (WMI). It is concerning that to get to this level of advanced threat detection requires far more than patching and OS upgrades.

Identifying internal user threats with user and entity behaviour analytics (UEBA) is key to detecting privilege misuse, lateral movement and brute force attacks. Monitoring endpoints for critical areas used for fileless malware, such as the Windows Registry using Registry Integrity Monitoring (RIM), is crucial to gaining deeper forensic insight into the more sophisticated attacks. Having a network monitoring solution in place helps to recognise data exfiltration, botnet beaconing and other suspicious network traffic. 

Continuous security awareness training, following best practice and retaining skilled workers also need to be high on the priority list.

These are some of the many numerous challenges that the NHS has to address beyond its £150 million investment. The healthcare industry as a whole should already be addressing these areas in order to stay one step ahead of the attackers.