Wannacry and NHS Lothian

I was reading the Spanish news when I first heard about Telefonica being attacked by an unknown ramsonware. The situation seemed to be quite critical, according to the news this malware was able to spread quite easily and some Telefonica’s customers apparently were impacted as well.

Because I work as a Senior Network Engineer at NHS Lothian (Scotland), I was quite curious about everything was going on and I decided to get in contact with a close friend who works for the Security department at Telefonica with no success. Now I understand how busy she must have been, but I could not imagine the big worldwide impact of wannacry by then.

I updated some colleagues about the situation and we put ourselves in “alert mode” as we are part of the Security team and we were not sure yet what we were facing. Soon, we knew some other NHS Boards in England were affected by wannacry and not too long after NHS Lanakrshire was affected in Scotland. We knew we were at risk as all NHS Boards are part of Scottish Wide Area Network (SWAN), which is the secure network for Scotland’s public services and it is considered a “trusted” network.

I was at the office last Friday, when around 15:50h I was blocking traffic on all our perimeter firewalls to stop connections to port 445 and also blocking files with specific sha256 values. Thanks to collaboration with other NHS Boards and the information provided we successfully manage to avoid wannacry to have any impact on NHS Lothian Services.

Figure 1 shows that only three boards where not affected in Scotland by wannacry: 10 – NHS Lothian, 11 – NHS Orkney and 12 –  NHS Shetland.

Figure 1

Obviously, NHS Lothian was kind of lucky of not being attacked first, but  the team I am part of has worked too hard to achieve a strong security architecture which allowed us to have a fast response according to the circumstances. When I notified that I had completed the changes needed, NHS Lothian involved the eHealth team to start working on patching, updates and we continued monitoring and analyzing quite closely all our network traffic.

Now that it is known more about wannacry, I have this good feeling seeing that all my hard work during the last 5 years at NHS Lothian has turned out into an effective protection against such as important cyber attack.

References:

http://www.bbc.co.uk/news/uk-scotland-39896639

https://www.thescottishsun.co.uk/news/997765/nhs-cyber-attack-scotland-ransom/