‘Basic security’ could have protected NHS from WannaCry

27 October 2017

NHS organisations affected by the WannaCry cyber attack earlier this year could have taken simple actions to protect themselves, an National Audit Office (NAO) report has said. 

The government spending watchdog said all the NHS organisations affected shared the same vulnerability, and that unpatched or unsupported versions of Windows operating systems had made them susceptible to ransomware attacks.

It also said taking action to manage their internet firewalls would have guarded against infections.

Head of hte NAO Amyas Morse said: “[WannaCry] was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the Department [of Health] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

The DoH said it has robust measures in place to protect against cyber attacks, and that it has taken further action to improve resilience since the WannaCry attack.

The NHS said lessons had been learnt from the incident that meant it could respond more effectively in the event of a future attack.

The NAO report said the attack disrupted at least 34% of trusts in England, but that the full extent of the disruption was still unkown. In total 37 NHS trusts in England were locked out of their systems and a further 44 reported disruptions. An additional 603 primary care and other NHS organisations, including 595 GP practices, were infected. 

NHS England said it had identified 6,912 appointments that had been cancelled because of the attack.

The report said DoH had been made aware of the rising risk of a cyber attack on the NHS a year before the WannaCry by a Care Quality Commission (CQC) report.

The NAO also said DoH did not know how prepared arm’s-length bodies were, including local healthcare organisations. The DoH and the cabinet office had plans in place to move away from vulnerable legacy IT systems, but before May's attack the DoH had no formal mechanism for assessing whether NHS organisations had complied with advice or guidance.

The NHS was also criticised for not rehearsing its response to a national cyber attack, and as a result during the WanaCry incident there were communication problems and it was not clear who should have lead the response.

No NHS trust paid the ransom, the report said.

In a statement posted on Twitter, a DoH spokesperson said: “Since May we have take further action to strengthen resilience including new, unannounced CQC cyber security inspections, £21m in funding to improve resilience in trauma centres, and enhanced guidance for trusts.”

Professor Keith McNeil, chief clinical information officer for health and care, said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen. 

“Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.”

The WannaCry attack infected thousands of computers worldwide in May this year, locking the information on them and demanded a ransom from the victims for the release keys.

It is estimated around 250,000 computers were locked before a researcher inadvertently triggered a kill-switch stopping the spread of the attack.

☛ Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates