‘Simple action’ could have foiled NHS WannaCry attack

The NHS could have taken simple steps to prevent the shutdown caused by WannaCry ransomware attack, according to the National Audit Office (NAO). 

Occurring on 12 May this year, the WannaCry virus infected computers around the world, including computers in a large number of NHS trusts across the UK.

The virus encrypted users’ files, demanding a ransom payment to gain access to them.

The event led to mass disruption across the NHS, causing appointment and operation cancellations while trusts in London, Essex, Hertfordshire, Hampshire and Cumbria had to divert patients to other hospitals to access A&E services.

NHS England identified 6,912 appointment cancellations and estimated over 19,000 would have been cancelled in total.

Initially, the incident was thought to have affected just 45 NHS organisations in total, 37 of which had been infected directly.

However, a new report from the NAO states that the number is at least 81 (34%) of the 236 English trusts, whilst a further 603 primary care organisations – including 595 GP practices – were affected.

The report also reveals concerns over the Department of Health’s (DoH) reaction to warnings of NHS cyber-attacks.

In 2014, the DoH and the Cabinet Office informed trusts of the need for plans to upgrade IT software by April 2015. In March and April of this year, NHS Digital issued critical warnings to trusts to patch their systems to prevent a cyber-attack.

However, no formal DoH process was in place to assess whether NHS organisations had heeded their advice. The DoH also did not formally respond to warnings about NHS cyber-attacks -made a year prior to the WannaCry event – until July this year.

In addition, plans that had been drafted by the DoH had not been tested. Furthermore, there had been no rehearsals of a cyber-attack on the NHS, which meant understanding of who would lead the response was unclear, says the report.

According to NHS Digital, the attack could have been prevented by installing security patches and correctly implementing firewalls on outdated and unsupported NHS computers.

Amyas Morse, head of the National Audit Office.

“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients,” said Amyas Morse, head of the National Audit Office. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

In response to the attack, NHS England and NHS Improvement – responsible for overseeing foundation trusts and NHS trusts – have written to every major health body in the UK asking for them to address NHS Digital warnings made between March and May of 2017.

However there were also plenty of private sector firms which were also affected by WannaCry. The following month saw pharma giant Merck hit by a similar ransomware attack, dubbed GoldenEye, which saw the company’s IT networks paralysed and its data potentially compromised.

Don't miss your daily pharmaphorum news.
SUBSCRIBE free here.