A cyber attack which crippled parts of the NHS in May could have been prevented if “basic IT security” measures had been taken, an independent investigation has found.
The head of the National Audit Office (NAO) warned the health service and Department of Health to “get their act together” in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.
Computers at Wigan borough’s hospitals were wiped out for 12 hours during the cyber attack which caused disruption across multiple NHS organisations.
The NAO’s probe, release today, found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on May 12.
The malware is believed to have infected machines at 81 health trusts across England - a third of the 236 total, plus computers at almost 600 GP surgeries, the NAO found.
All were running computer systems - the majority Windows 7 - that had not been updated to secure them against such attacks.
The NAO said that while the health service’s IT arm NHS Digital had issued “critical alerts” about WannaCry in March and April, the DoH had “no formal mechanism” to determine whether local NHS organisations had taken any action.
Sir Amyas Morse, the head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
More than 300,000 computers in 150 countries were infected with the WannaCry ransomware.
It crippled organisations from government agencies and global companies by targeting computers with outdated security.
At the time security experts warned the NHS that running outdated computer operating systems was a “ticking time bomb”, leaving it vulnerable to further attacks.
Medical staff reported seeing computers go down “one by one” as the attack took hold, locking machines and demanding money to release data on them.
Keith McNeil, the NHS’s chief clinical information officer for health and care, said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.
“Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.”
Dan Taylor, NHS Digital’s Head of Security, said WannaCry had been “an international attack on an unprecedented scale” and the NHS had “responded admirably to the situation”.
He added: “Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.
“We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.
“A large focus of this work is ensuring that the health and care system acts quickly and decisively to minimise the impact on essential front-line services and supporting resilience in the NHS against potential cyber threats.”