NHS could have prevented cyber attack
27 October 2017
A REPORT by the National Audit Office (NAO) has revealed that the NHS should have taken steps to prevent the cyber attack it suffered in May.
On 12 May, a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before 12 May.
The NAO investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department of Health and NHS national bodies responded to the attack. The key findings of the investigation are:
- The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017;
- The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption;
- Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments;
- The Department, NHS England and the National Crime Agency told NAO that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS;
- The attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices;
- The Department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level;
- NHS England initially focused on maintaining emergency care;
- NHS Digital told NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves; and
- The NHS has accepted that there are lessons to learn from WannaCry and is taking action
Head of the National Audit Office Amyas Morse said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
In a statement the Department of Health said: "The NHS has robust measures in place to protect against cyberattack.
"Since May we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cyber security inspections by the Care Quality Commission, £21m in funding to improve resilience in trauma centres, and enhanced guidance for trusts."