How NHS ignored warnings before WannaCry ransom attack

A patient appointment letter from an NHS hospital, next to a virus and spyware warning message on a laptop screen.
A patient appointment letter from an NHS hospital, next to a virus and spyware warning message on a laptop screen.
0
Have your say

BASIC security measures could have prevented the cyber attack that crippled parts of the NHS in May, a damning government report concludes today.

The Yorkshire Post says: Cyber attack exposed flaws... now NHS must get its act together

The National Audit Office says health officials had been warned last year about the likelihood of such an event, but did not respond formally until after it had happened.

Administrators still do not know the cost to the NHS of the attack, in which workers were locked out of their computers by rogue software called WannaCry.

Nearly 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away.

York Teaching Hospital NHS Foundation Trust was among those to cancel appointments after 16 of its sites were affected. Hospitals and NHS Trusts in Barnsley, Hull, East Yorkshire, North Lincolnshire and Goole were also hit.

Sir Amyas Morse, head of the National Audit Office, warned the health service and Department of Health to “get their act together” in the wake of the crisis, or risk suffering a more sophisticated and damaging future attack.

He said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.”

Today’s report reveals that the health department had been warned about the risks of cyber attacks on the NHS in July last year but although work to improve security had begun, there had been no formal written response until July 2017, two months after the attack.

It also says that “on-site cyber security assessments” had been carried out at 88 out of the 236 health trusts in England before the attack but that none had passed. However, the IT department had no powers to make them take action.

More than 300,000 computers in 150 countries were infected with the WannaCry “ransomware”, which demanded money for an unlock code. No NHS organisation is thought to have paid the ransom.

The virus targeted computers with outdated security - the majority running versions of Windows 7 that had not been updated. At the time security experts warned the NHS that running such operating systems was a “ticking time bomb”, leaving it vulnerable to further attacks.

Dan Taylor, NHS Digital’s Head of Security, said WannaCry had been “an international attack on an unprecedented scale” from which the health service had “learned a lot”.

But Meg Hillier, chairman of the Commons Public Accounts Committee, said: “The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.

“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day. The NHS and the department need to get serious about cyber security or the next incident could be far worse.”

Shadow health secretary Jonathan Ashworth said the report revealed “a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk”.

He said: “In the digital age, it is abundantly clear that a 21st Century health service should have been far better prepared for a cyber attack.”