The NHS has been ordered to ‘get its act together’ or risk another devastating cyber attack like the ‘WannaCry’ ransomware breach which crippled the health service in May.
A damning investigation into digital crisis by the National Audit Office, found that NHS bodies had been warned as early as 2014 that their systems were vulnerable to hackers.
In the months preceding the attack, NHS digital had even issued ‘critical alerts’ about the WannaCry virus, urging IT departments to update their online security systems.
The NAO report, released today, found that almost 19,500 medical appointments, including 139 potential cancer referrals, were probably cancelled, with five hospitals forced to divert ambulances away after being locked out of computers on May 12.
NHS Providers, which represents hospitals, warned that further attacks were ‘inevitable’ while the head of the NAO said the health service must improve its resilience or it would suffer a more sophisticated and damaging breach.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients,” said NAO auditor general Sir Amyas Morse.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department of Health and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The WannaCry attack is the largest faced by the NHS to date, infecting computers at 81 health trusts across England – a third of the 236 total, as well as almost 600 GP surgeries.
All were running computer systems – the majority Windows 7 – that had not been updated with anti-virus software to secure them against attacks even though security experts had warned that outdated systems were ‘a ticking timebomb.’
On the day of the attack, medical staff reported seeing computers go down ‘one by one’ as the virus took hold, locking machines and demanding money to release data.
Accident and emergency units had to divert ambulances away at the Royal London Hospital, Broomfield Hospital in Chelmsford, Essex; the Lister Hospital in Stevenage, Herts; Basingstoke Hospital in Hampshire and West Cumberland Hospital in Whitehaven, Cumbria.
The report found that the attack could have caused even more disruption had it not been for cyber researcher Marcus Hutchins, who activated a ‘kill-switch’.
The NAO said that while the health service’s IT arm NHS Digital had issued ‘critical alerts’ about WannaCry in March and April this year, the Department of Health had ‘no formal mechanism’ to determine whether local NHS organisations had taken any action.
Prior to the attack, NHS Digital also carried out on-site cyber security assessments at 88 health trusts in England, of which none passed, yet the organsitaion had no powers to force them to improve their systems.
Jonathan Ashworth MP, Labour’s Shadow Health Secretary, said: “This report reveals a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk.
“The Government must now outline as a matter of priority what action it is taking to keep patients safe this winter and beyond.”
The report also revealed that the DoH had been warned about the risks of cyber attacks on the NHS in July 2016 but although work to improve security had begun there was no formal written response until July 2017, two months after the attack.
Liberal Democrat Health Spokesperson Judith Jolly said: “Such a simple cyber-attack should never have been allowed to bring the NHS to its knees in this way.
“Ministers must ensure lessons are learned and that NHS trusts have the resources to defend themselves against future cyber-attacks.”
As well as the NHS, more than 300,000 computers at government agencies and companies across the globe were infected with WannaCry, which shut down machines and demanded cash.
Ben Clacy, Director of development and operations at NHS Providers, said: “Further attacks are inevitable so it is important that lessons are learned. This report makes a useful contribution to that process.
“The NHS is taking steps at national and local level to prepare for the next attack. Part of this is to ensure that trusts apply software patches and keep anti-virus software up to date.
And there are lessons too around communication, both within the NHS and with the wider public.”
Dan Taylor, NHS Digital’s Head of Security, said: “We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.”