- The NHS has huge security failings and could have prevented the WannaCry attack earlier this year, according to a government report.
- In May 2017, ransomware caused havoc in Britain’s health service.
- It had been warned about the risks of cyberattacks more than a year before.
LONDON — The NHS had been warned about the risks of cyberattacks a year before the devastating WannaCry attack earlier this year and failed to take basic steps that could have prevent it, according to a government report.
In May 2017, a strain of ransomware called WannaCry caused spread rapidly around the globe, encrypting users’ data and causing havoc. The UK’s National Health Service was badly hit, with 81 out of 236 NHS trusts in England affected, along with 595 GP practices.
Ambulances were forced to be redirected from some hospitals and thousands of appointments were cancelled, with its spread only halted by the actions of security researcher Marcus Hutchins investigating the malware.
And on Friday, the National Audit Office published a scathing report highlighting the NHS’ lack of preparedness for such an attack. Key findings include:
- Organisations were infected because they were running out-dated, unpatched versions of Microsoft Windows. And even if they didn’t patch them, they could have still protected themselves by using software firewalls properly.
- In 2014, the Department of Health and the Cabinet office wrote to NHS Trusts asking them to make sure they had “robust plans” to move away from old software by April 2015.
- No NHS organisations paid the ransom demanded by the malware.
- The Department of Health had developed a plan for responding to cyberattacks but hadn’t tested it at a local level.
- The lack of a rehearsal for an attack meant “it was not immediately clear who should lead the response and there were problems with communications.”
- Prior to the attack, the Department of Health didn’t have any formal mechanism for checking whether local NHS organisations were following their advice on cybersecurity issues.
- The NHS doesn’t know how much the attack cost it overall — with costs including employee overtime, and technical support to get systems back online.
- NHS Digital does not believe any patient data was affected or stolen.
Amyas Morse, head of the National Audit Office, criticised the NHS and Department of Health in a statement.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” they said.
“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”