Dozens of NHS hospitals were paralysed by WannaCry ransomware in May because they had failed to take basic steps to secure their IT systems, an investigation has found.
The “relatively unsophisticated” strike led to the cancellation of an estimated 19,500 appointments across 81 trusts in England, the National Audit Office’s (NAO) report revealed.
Amyas Morse, head of the NAO, warned that “there are more sophisticated cyber attacks out there” and that the Department for Health and the NHS “need to get their act together”.
The report highlights that while the Department for Health had written to trusts in 2014 to urge them to update old software, it had no formal mechanism for checking that they had done so.
It had also failed to establish a reporting system to assess whether hospitals were equipped to deal with a cyber attack.
MP Meg Hillier, chair of the committee of public accounts, said that was the reason the health service’s response came too late in the day: “The NHS and the Department need to get serious about cyber security or the next incident could be far worse.”
The report suggests that the true extent of the attack may never be known. The department was not able to tell the NAO how much the disruption cost, and NHS England has not recorded how many GP appointments were cancelled, nor how many patients were diverted from A&E departments.
It does, however, draw attention to the fact that the attack could have been stopped if hospital trusts had implemented a software update designed to vulnerabilities, noting that IT staff were unable to update some machines because they ran XP, a version of Windows software that was no longer supported.
Paul Edon, international services director at Tripwire, told NS Tech that IT managers should have taken measures to protect the vulnerable computers: “They knew which machines they couldn’t patch because they were unsupported by XP so they should have taken precautions around those devices.
“That might have meant putting extra protection in place and monitoring them more closely for change or they may well have, depending on the need, looked at replacing those machines.”
In the wake of WannaCry, the government has pledged to spend £50m on improving cyber security and patient data in the NHS, which includes the creation of a £21m fund for the UK’s 27 major trauma centres.
David Evans, the Chartered Institute for IT’s policy director, questioned the logic in providing extra cyber security funding for major trauma centres, but not for the rest of the NHS’s 240 trusts.
“The additional funding will be welcomed by NHS CIOs at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security,” he said.