David Stone, Principal, Consulting Services, Divurgent
Quang Nguyen, Manager, Consulting Services, Divurgent
Saneel Vasram, Management Consultant, Gevity
In May 2017, the National Health Service (NHS) in the United Kingdom was crippled by the global WannaCry ransomware attack, which was thought to have been created by a group tied to North Korea. As the crisis stretched into days, 40 hospitals were locked out of their IT systems, 16 were shut down, surgeries were canceled, and caregivers were forced to treat patients without access to their medical records, lab tests, x-rays, or even information on allergies. Physicians reverted to pen and paper to document care. During the shutdown, the attackers demanded ransom payments. The crisis only ended after Microsoft created a security patch that remedied the problem.
NHS had been warned over the year leading up to the attack that their systems were vulnerable to ransomware attacks. This was in large part because NHS organizations in the UK were using an untold number of systems and applications running on Windows XP, which was an outdated, 16-year-old operating system at the time (Bodkin, et. al., 2017).
Luckily, nobody died, but the attack was estimated to cost the NHS at least £19 million in lost output and £73 million in IT costs during and after the attack (Department of Health and Social Care, 2018).
It had been a growing information security disaster waiting to happen for at least a decade, but it did not have to be. If IT managers had conducted an effective application rationalization program prior to the attack, it likely never would have happened.
