Could the NHS cyber attack have been stopped? Government demands answers as system is hacked

The health service faces a weekend of chaos after the unprecedented attack forced hospitals to cancel and delay treatment for patients.

Yorkshire patients warned 'only to attend A&E if emergency' after hospital IT systems targeted by suspected cyber attackYorkshire NHS hospital trust affected after suspected cyber attack targets IT systems across countryCyber security experts investigating after malware attack on Yorkshire NHS organisations

It is feared computers in A&E wards, GP's surgeries and other vital services across the NHS were infected with a virus based on hacking tools developed by US cyber warfare agents.

At least 30 health service organisations in England and Scotland were infiltrated by the malicious software, while many others shut down servers as a precautionary measure, bringing added disruption.

Doctors reported seeing computers go down "one by one" as the "ransomware" took hold on Friday, locking machines and demanding money to release the data.

The National Cyber Security Centre (NCSC) said teams were "working round the clock" in response to the attack as it was reported up to 99 countries, including the US and Russia, were hit.

Prime Minister Theresa May said the Government is not aware of any evidence patient records had been compromised.

"This is not targeted at the NHS, it's an international attack and a number of countries and organisations have been affected," she added.

However shadow health secretary Jonathan Ashworth said the attack was "terrible news and a real worry for patients" and urged the Government to be "clear about what's happened".

Ross Anderson, professor of security engineering at Cambridge University's computer lab, said the incident is the "sort of thing for which the secretary of state should get roasted in Parliament.

"If large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago, then whose fault is that?" Mr Anderson told The Guardian.

Experts say the virus, called Wanna Decryptor, exploits a vulnerability in Microsoft Windows software first identified by American spies at the National Security Agency (NSA).

The tools were leaked on the web earlier this year when hackers dumped a cache of NSA files following a security breach.

Prior to the dump, Microsoft released a fix, or patch, for the issue, although computers that did not install the update, or could not due to the age of their software, would have been vulnerable to attack.

The US Department of Homeland Security said on Friday that the patch, released by Microsoft on March 16, "addresses this specific vulnerability, and installing this patch will help secure your systems from the threat".

In December it was reported nearly all NHS trusts were using an obsolete version of Windows that Microsoft had stopped providing security updates for in April 2014.

Data acquired by software firm Citrix under Freedom of Information laws suggested 90% of trusts were using Windows XP, then a 15-year-old system.

It is not known how many computers across the NHS today are still using Windows XP or recent variants Windows 8 and Windows 10.

Just one day before Friday's attack a doctor warned that NHS hospitals needed to be prepared for an incident precisely of the kind seen.

In an article published in the British Medical Journal, Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, said hospitals "will almost certainly be shut down by ransomware this year".

As the scale of the security breach became clear on Friday afternoon, ambulances were diverted and patients told to avoid some A&E departments.

Staff reverted to pen and paper and used their own mobiles after key systems were affected, including telephones.

A total of 19 English health organisations reported problems, including hospitals and clinical commissioning groups (CCGs) in London, Blackpool, Hertfordshire and Derbyshire.

United Lincolnshire Hospitals NHS Trust said it was forced to cancel all outpatient, endoscopy, cardiology and radiology weekend appointments across its three hospitals.

In Scotland, 11 geographical health boards, including the ambulance service and acute hospital sites, saw their IT networks infected.

At least one health trust found itself named as a victim of the cyber attack despite actually suffering from an unrelated server problem.

Security chiefs and ministers have repeatedly highlighted the threat to Britain's critical infrastructure and economy from cyber attacks.

In February the NHS official responsible for IT security warned that cyber attacks "have and will affect patient care".

Dan Taylor said "health has never paid a ransom" and organisations can recover files using back ups, however it can still lead to "days of cancellations to patient facing services".

In Russia, the Interior Ministry said around 1,000 computers were hit by a cyber attack on Friday.

Several companies in Spain were also crippled by ransomware attacks.

Telecoms firm Telefonica was one of those reporting problems, along with courier firm FedEx.

Last year, the Government established the NCSC to spearhead the country's defences.

In the three months after the centre was launched, there were 188 "high-level" attacks as well as countless lower-level incidents.

Chancellor Philip Hammond disclosed in February that the NCSC had blocked 34,550 potential attacks targeting UK Government departments and members of the public in six months.

Researcher Marco Cova said critics should take the complexity of keeping systems up-to-date into account.

"It's easy to blame people who don't upgrade," he said.

"But in practice things are often more complicated: operations team may not touch legacy systems for a number of reasons; in some cases they may even be unaware that such legacy systems are running in their infrastructure."

The virus's global spread has been slowed by the triggering of a virtual "kill switch" built in to the malware, according to reports.

It is understood the virus searched the web for a web address that, once activated, stopped the worm's transmission.

According to The Register the domain was activated on Friday.