The NHS could have prevented the WannaCry cyber attack earlier this year if it followed basic IT security best practice, an investigation by the National Audit Office has found.
Back in May worldwide release of the computer virus, which encrypts data on infected computers and demands a ransom payment to allow users access, triggered the largest cyber attack to affect the NHS in England.
The attack led to disruption in at least 34 percent of trusts in England, although the Department of Health and NHS England do not know the full extent of the disruption nor its financial impact, according to the NAO report.
Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments, although again exact numbers are not known.
The NAO says the DH was warned about the risks of cyber attacks on the NHS a year before WannaCry, “and although it had work underway it did not formally respond with a written report until July 2017.”
Furthermore, while NHS Digital issued critical alerts warning organisations to ramp up their defences to prevent WannaCry in March and April, the DH had no formal mechanism for assessing whether local NHS groups had complied with their advice or whether they were prepared for such a cyber attack.
NHS Digital told the NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple steps to protect themselves against the virus.
“Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection,” the report stressed.
Also, while a the DH had constructed a cyber attack response plan, including roles and responsibilities of national and local organisations in such an event, this had not been tested at a local level. As such, it was not immediately clear who should lead the response and there were problems with communications, it noted.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” said Amyas Morse, head of the NAO.
“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”