Public Services > Central Government

Using WannaCry to bring GDPR up the priority list

Published 10 November 2017

Paul Heath, Regional Director, UK&I Public Sector at McAfee, explains how healthcare CISOs can leverage WannaCry to get the board to act on GDPR


The IT teams in healthcare organisations are facing unprecedented pressure. The typical CIO and/or CISO is now facing the challenges of a rise in demand, an increase in complexity of networks and services, and both new connected devices and existing legacy IT to manage - with a survey conducted last December indicating that 90 per cent of trusts are still running the unsupported Windows XP operating system.

And this doesn’t even account for the backdrop against which they’re having to manage this IT environment. In hospitals and health practices, the user community is constantly in “fire fighter mode” – doctors need to work fast to save lives – and IT can be perceived as getting in the way, which encourages them to resort to shadow IT. While there are a number of new compliance issues that they must get their head around, from the Information Governance Toolkit and General Data Protection Regulation (GDPR), to ISO2700 and Cyber Essentials Plus. And, due to the ongoing challenges in the NHS, all this must be achieved on low budgets.

Rise in consciousness

With all the challenges that hospital and practice managers are facing, it’s understandable that cybersecurity wasn’t always top of the priority list. However, since WannaCry, a number of CISOs are reporting a newfound consciousness amongst the board regarding the risk of cyberattacks, with executives bringing them in to explain how they’re defending the Trust and are going to protect its data and networks against similar future threats.

Responding to and alleviating the concerns of the board in the WannaCry aftermath could easily have become yet another point on their already over-burdensome “to do list”. However, CIOs and CISOs should instead look at how they can harness this new found consciousness to drive awareness and action on the next great IT challenge – GDPR.

The next great hurdle

GDPR is the new European regulation that will affect the full data lifecycle from collection, processing, storage, usage and destruction. All companies will be required to implement appropriate measures that protect personal data of employees and customers, but is not prescriptive in the controls. Coming into force from May 2018, organisations could face significant penalties of up to €20m or 4 per cent of turnover (whichever is greater) for data breaches, not reporting data breaches or unlawful processing.

Applicable to private and public sectors alike, GDPR will introduce a new financial risk if health organisations suffer a breach and are found not to have met the minimum data security standards. After May 2018, healthcare organisations that suffer cyberattacks and data theft will be obliged to report the event to the Information Commissioner’s Office (ICO), opening them up to the potential penalties outlined under GDPR.

Leverage point

While WannaCry is at the forefront of the board’s mind, CISOs and CIOs should use it to their advantage by highlighting the added financial risk that financial risks that cyber threats can pose under GDPR. This will enable them to present a case for the cybersecurity resources that their Trust needs to invest in to provide an effective defence against future attacks – and that will help avoid non-compliance fines. These should include, but not be limited to: SOC (Security Operation Center), DLP (Data Loss Prevention, patch management, and automation and integration of security solutions so that cybercriminals can’t exploit the gaps between services.

CISOs and CIOs should also take this opportunity to ensure that the Data Protection Officer, required under GDPR, has a good understanding of the cybersecurity risk to the business and how that impacts GDPR, as well as the data management, storage and processes. Health Trusts should prioritise a Data Protection Officer that has a sufficient level of expertise commensurate with the sensitivity, complexity and amount of data the Trust processes. They should also ensure that the DPO appointed has in depth knowledge not only of GDPR, but of other data laws both general and specific to the health sector – across not only the UK and the EU but anywhere which may be relevant to the way the business operates. Having found an appropriate candidate it is then essential that the Trust enables the DPO with sufficient autonomy and resources to address any needs they identify in a timely manner.

Make the best of a bad situation

There’s no question that NHS Trusts – and their IT teams – are still feeling bruised from the WannaCry ransomware attack. And with 40 NHS Trusts impacted – with some unable to return to normal services for days – it’s understandable why.

However, it’s important that CISOs and CIOs look for the silver lining. The recent attack has brought up the agenda the wealth of IT and security challenges that Trusts are now facing, as well as the risk to operations when falling victim to a cyberattack.

CISOs and CIOs must leverage the recent WannaCry attack and the newfound awareness its raised to get sign off on the necessary security investments that will not only help them prevent similar attacks in the future, but enable them to become GDPR compliant.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.