“Basic IT security measures” could have prevented the cyber attack which shut down NHS computers in the North East last May, according to an independent investigation.
In May, the ‘WannaCry’ransomwear attack hit NHS networks, forcing hospitals to tell patients to avoid going to A&E. Northumbria Healthcare, which runs the Emergency Care Hospital in Cramlington, North Tyneside General Hospital and Hexham General Hospital was one of the trusts affected.
The National Audit Office’s investigation into the hack found trusts were using Windows 7 computer systems which had not been updated to secure against a cyber attack.
The report, compiled by NAO head Sir Amyas Morse, contains an admission from NHS Digital that trusts could have taken “relatively simple action to protect themselves”.
Every hacked trust was running “unpatched or unsupported Windows operating systems so were susceptible to the ransomware”, according to the report.
Ahead of the attack, NHS Digital assessed cyber security at 88 health trusts in England. All failed, but NHS Digital did not have the power to make them take action to shore up security.
Nationally, 19,500 medical appointments were cancelled due to the attack, which infected computers at 81 health trusts in England, along with computers at 600 GP surgeries.
What did the cyber attack investigation reveal?
• WannaCry was the largest cyber attack to affect the NHS to date.
• The Department of Health and NHS England “do not know the full extent of the disruption” caused by it.
• All those affected by WannaCry ran “unpatched or unsupported Windows operating systems so were susceptible to the ransomware”, mostly running Windows 7.
• They could have taken “relatively simple action to protect themselves”, NHS Digital told the investigation.
• Prior to the attack, NHS Digital carried out an “on-site cyber security assessment” at 88 out of the 236 health trusts in England. None passed. However it had no powers to make them “take remedial action even if it has concerns about the vulnerability of an organisation”.
• The DoH and Cabinet Office wrote to NHS trusts in 2014, telling them to have “robust plans” to update older systems like Windows XP by April 2015 but some 5% of computers and machinery across the NHS were still using it in May 217.
• The DoH had been warned about the risks of cyber attacks on the NHS in July 2016 but although work to improve security had begun there was no formal written response until July 2017, two months after the attack.
• The DoH had developed a cyber attack response plan but had not tested it at a local level.
• The NHS had not rehearsed for a national-level cyber attack, which led to leadership and communication problems when it struck.
• The WannaCry attack could have caused even more disruption if it had not been for cyber researcher Marcus Hutchins, who activated a “kill-switch”.
• NHS Digital does not believe that patient data was compromised or stolen.
• The DoH, NHS England and the National Crime Agency said that no ransom was paid by the NHS but the health department “does not know how much the disruption to services cost”.
The attack was “unsophisticated” and could easily have been fought off
Sir Amyas Morse said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The NHS vows to learn from the attack
Dan Taylor, NHS Digital’s head of security, said WannaCry had been “an international attack on an unprecedented scale” and the NHS had “responded admirably to the situation”.
He added: “Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.
“We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.
“A large focus of this work is ensuring that the health and care system acts quickly and decisively to minimise the impact on essential front-line services and supporting resilience in the NHS against potential cyber threats.”
Keith McNeil, the NHS’s chief clinical information officer for health and care, said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.
“Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.”