A cyber attack which crippled parts of the NHS in May could have been prevented if “basic IT security” measures had been taken, an independent investigation has found.
The head of the National Audit Office warned the health service and Department of Health to “get their act together” in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.
The NAO’s probe, released on Friday, found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on May 12.
The malware is believed to have infected machines at 81 health trusts across England – a third of the 236 total, plus computers at almost 600 GP surgeries, the NAO found.
All were running computer systems – the majority Windows 7 – that had not been updated to secure them against such attacks.
The NAO said that while the health service’s IT arm NHS Digital had issued “critical alerts” about WannaCry in March and April, the DoH had “no formal mechanism” to determine whether local NHS organisations had taken any action.
Sir Amyas Morse, the head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
More than 300,000 computers in 150 countries were infected with the WannaCry ransomware. It crippled organisations from government agencies and global companies by targeting computers with outdated security.
At the time security experts warned the NHS that running outdated computer operating systems was a “ticking time bomb”, leaving it vulnerable to further attacks.
Medical staff reported seeing computers go down “one by one” as the attack took hold, locking machines and demanding money to release data on them.
Accident and emergency units had to divert ambulances away at the Royal London Hospital, Broomfield Hospital in Chelmsford, Essex; the Lister Hospital in Stevenage, Herts; Basingstoke Hospital in Hampshire and West Cumberland Hospital in Whitehaven, Cumbria.
The report, compiled by Sir Amyas, the comptroller and auditor general, also revealed:
:: WannaCry was the largest cyber attack to affect the NHS to date.
:: The Department of Health and NHS England “do not know the full extent of the disruption” caused by it.
:: All those affected by WannaCry ran “unpatched or unsupported Windows operating systems so were susceptible to the ransomware”, mostly running Windows 7.
:: They could have taken “relatively simple action to protect themselves”, NHS Digital told the investigation.
:: Prior to the attack, NHS Digital carried out an “on-site cyber security assessment” at 88 out of the 236 health trusts in England. None passed. However it had no powers to make them “take remedial action even if it has concerns about the vulnerability of an organisation”.
:: The DoH and Cabinet Office wrote to NHS trusts in 2014, telling them to have “robust plans” to update older systems like Windows XP by April 2015 but some 5% of computers and machinery across the NHS were still using it in May 217.
:: The DoH had been warned about the risks of cyber attacks on the NHS in July 2016 but although work to improve security had begun there was no formal written response until July 2017, two months after the attack.
:: The DoH had developed a cyber attack response plan but had not tested it at a local level.
:: The NHS had not rehearsed for a national-level cyber attack, which led to leadership and communication problems when it struck.
:: The WannaCry attack could have caused even more disruption if it had not been for cyber researcher Marcus Hutchins, who activated a “kill-switch”.
:: NHS Digital does not believe that patient data was compromised or stolen.
:: The DoH, NHS England and the National Crime Agency said that no ransom was paid by the NHS but the health department “does not know how much the disruption to services cost”.
Dan Taylor, NHS Digital’s Head of Security, said WannaCry had been “an international attack on an unprecedented scale” and the NHS had “responded admirably to the situation”.
He added: “Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible. We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.”
Meg Hillier, chairwoman of the Public Accounts Committee, said: “The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.
“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day. The NHS and the department need to get serious about cyber security or the next incident could be far worse.”