NHS 'could have prevented' WannaCry cyber attack with basic IT security

Credit: PA

The NHS could have prevented the crippling cyber attack that took place in May if "basic security" measures had been taken, an independent investigation has found.

The probe by the National Audit Office found that almost 19,500 medical appointments were estimated to have been cancelled, including 139 potential cancer referrals - with five hospitals having to divert ambulances away after being locked out of computers on May 12.

The head of the NAO warned the health service and Department of Health to "get their act together" in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.

The malware is believed to have infected machines at 81 health trusts across England plus computers at almost 600 GP surgeries, the NAO found.

All were running computer systems - the majority Windows 7 - that had not been updated to secure them against such attacks.

The NAO said that while the health service's IT arm NHS Digital had issued "critical alerts" about WannaCry in March and April, the DoH had "no formal mechanism" to determine whether local NHS organisations had taken any action.

Sir Amyas Morse, the head of the NAO, said: "The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.

"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

"There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

More than 300,000 computers in 150 countries were infected with the WannaCry ransomware.

It crippled organisations from government agencies and global companies by targeting computers with outdated security.

Medical staff reported seeing computers go down "one by one" as the attack took hold, locking machines and demanding money to release data on them.

NHS staff were met with this screen which demanded money during the cyber attack. Credit: PA

NHS Digital told the investigation they could have taken "relatively simple action to protect themselves" against what was the largest cyber attack to affect the NHS.

The full extent of the disruption is still not yet known by The Department of Health and NHS England

Prior to the attack, NHS Digital carried out cyber security assessments at 88 out of the 236 health trusts in England - none passed.

The report said that the Department of Health and the Cabinet Office had warned NHS trusts in 2014 to create "robust plans" to update older software systems but not all trusts acted.

The NAO said the attack could have caused even more disruption if it had not been for cyber researcher Marcus Hutchins, who accidentally activated a "kill-switch".

The report, compiled by Sir Amyas, the comptroller and auditor general, also revealed that NHS Digital does not believe that patient data was compromised or stolen.

Dan Taylor, NHS Digital's Head of Security, said WannaCry had been "an international attack on an unprecedented scale" and the NHS had "responded admirably to the situation".

He added: "Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.

"We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.

Shadow health secretary Jonathan Ashworth said the report revealed "a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk".

He said: "In the digital age, it is abundantly clear that a 21st Century health service should have been far better prepared for a cyber attack.

"The Government must now outline as a matter of priority what action it is taking to keep patients safe this winter and beyond.

"Complacency simply isn't an option, and patients and staff deserve urgent reassurances that our NHS, and its sensitive data, is kept safe and secure."