NHS 'could Have Prevented' WannaCry Ransomware Attack

NHS signImage copyright AFP
Image caption WannaCry was the biggest cyber-attack that has affected the NHS to date

NHS trusts were left vulnerable in a major ransomware attack in May because cyber-security recommendations were not followed, a government report has said.

More than a third of trusts in England were disrupted by the WannaCry ransomware, according to the National Audit Office (NAO).

At least 6,900 NHS appointments were cancelled as a result of the attack.

The NAO chief said the Department of Health and the NHS must now "get their act together".

WannaCry, which spread to more than 150 countries in a worldwide ransomware outbreak beginning on 12 May, was the biggest cyber-attack to have hit the NHS to date.

The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230 ($300).

The NAO report said there was no evidence that any NHS organisation paid the ransom - but the financial cost of the incident remained unknown.

An assessment of 88 out of 236 trusts by NHS Digital before the attack found that none passed the required cyber-security standards.

Image copyright Getty Images
Image caption As a result of disruption caused by WannaCry, patients were turned away from appointments

The report said NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.

The Department of Health also lacked important information, the report said.

"Before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance."

Organisations could also have better managed their computers' firewalls - but in many cases they did not, it said.

NHS organisations have not reported any cases of harm to patients or of their data being stolen as a result of WannaCry.

NHS England has identified 6,912 appointments - including operations - that were cancelled as a direct result of the ransomware.

But it estimated that about 19,000 appointments in total may have been affected.

Media playback is unsupported on your device
Media captionWhat is ransomware?

Cases included at least 139 people potentially with cancer, who had urgent referrals cancelled.

It is not known:

  • how many GP appointments were cancelled
  • how many ambulances and individuals were diverted from five accident and emergency departments unable to treat some patients.
  • how many trusts or GPs experienced delays in information, such as test results

The NAO credits the widely reported work of cyber-security researcher Marcus Hutchins, who accidentally helped to stop the spread of WannaCry.

His "kill switch" involved registering a domain name linked to the malware, which deactivated the program's ability to spread automatically.

Media playback is unsupported on your device
Media captionLISTEN: How 'Malware Tech' became an 'accidental hero'

The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan.

It will also ensure that critical cyber-security updates - such as applying software patches - are carried out by IT staff, the NAO said.

WannaCry was "a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice," said Sir Amyas Morse, comptroller and auditor-general of the NAO.

"There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

Keith McNeil, chief clinical information officer for health and care at NHS England, said emergency plans were activated quickly and staff "went the extra mile" to provide care.


Image copyright EPA

Analysis - by Rory Cellan-Jones, technology correspondent

For many executives, a serious cyber-attack is now very high on their list of risks to their organisations and a priority for disaster planning.

So what is most shocking in this report is the lack of planning at a local level in the NHS for such an event.

To be fair, the Department of Health had developed a plan - it was just that it had not been properly communicated or tested in the NHS trusts. When disaster struck, nobody seemed to know who was in charge or what to do.

Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS. Once again, there had been warnings sent out by NHS Digital, but many trusts failed to act upon them - though in that they were no different from many organisations around the world that were also hit.

In one way, the NHS was lucky - if, instead of a Friday in May, the attack had taken place on a Monday in winter, with a week's appointments affected, the damage would have been far worse.

Cyber-security experts will tell you that dealing with attacks like these is mostly a management rather than a technology problem. And in this case the NHS proved itself incapable of managing a speedy and effective response to its first major cyber-security crisis.

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more