Public Services > Healthcare

Cyber expert Thomas warns over possible latent WannaCry mechanisms

David Bicknell Published 06 February 2018

In written evidence to the PAC, cybersecurity and safety critical specialist Martyn Thomas warns it will be “very difficult to ensure that WannaCry did not install mechanisms designed to allow a future attack”


The Public Accounts Committee (PAC) examining the impact of the WannaCry attack on the NHS has received evidence from noted cyber security specialist Martyn Thomas that the NHS could still be at risk from mechanisms installed by the ransomware.

In written evidence submitted to the committee, Thomas, an internationally recognised expert in safety-critical or security-critical, software intensive systems, software engineering and cybersecurity, and who led a recent cybersecurity Science Capability Review for the Ministry of Defence, said, “It will have been very difficult to ensure that Wannacry did not install mechanisms designed to allow a future attack. If the NHS is confident that this did not happen, it would be reassuring to know that they have strong evidence for this confidence.” l

Thomas’s evidence pointed out that “fortunately, Wannacry was not a cyber-attack on the NHS. If it had been, the consequences would probably have been far worse.”

He added, “It would be extremely complacent to believe that a future attack would not succeed. Medical records systems are not built to withstand a cyber-attack; they use off-the-shelf commercial  or open-source software components and these components contain thousands of errors, many of which will be exploitable as the basis for a cyberattack.

His evidence continued, “Wannacry used nation-state level offensive cyber capabilities that had leaked, and few systems can withstand the use of such resources. It would be complacent to assume that such nation state resources will never leak in future or that the NHS will never be attacked by a national agency. But even a simple cyberattack may succeed because computer-based medical systems and equipment are validated in the main by testing them; this may (but need not) include some penetration testing to probe for vulnerability to cyberattack.

“Software engineers have known for 50 years that testing can only ever show that errors DO exist and can never show that there are NO errors remaining. It is unwise to assume that even heroic amounts of testing have identified more than half of the errors made by programmers.”

He said his points are also true for safety-critical medical devices such as pacemakers, infusion pumps, patient monitoring systems, surgical theatre equipment and radiotherapy systems.

For these reasons, he said, safety-critical medical systems should never be connected to the Internet or networked to other systems that are connected to the Internet, even for maintenance reasons, and procedures should be in place to detect and act on unusual system behaviour and to inhibit accidental system misuse or insider attacks.

Witnesses for a PAC evidence hearing earlier this week amounted to a Who’s Who of senior management with responsibility for IT and digital within the NHS. They included NHS England chief executive Simon Stevens, Sir Chris Wormald, Permanent Secretary at the Department of Health, Jim Mackey, former chief executive, Will Smart, chief information officer, NHS Improvement, and Rob Shaw, deputy chief executive at NHS Digital.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.