Why the NHS caught a hacking cough
Report says trusts ignored warnings a month before the attack
As ransomware attacks go, Wannacry wasn’t particularly sophisticated. Although it reached 150 countries, it contained amateur flaws such as a URL in the code that security experts used to stop it spreading further. This makes the NHS’S inability to deal with it all the more alarming.
Wannacry struck on Friday 12 May, crippling computers in hospitals run by 81 NHS England health trusts and 600 GP surgeries. Within hours, as systems crashed and thousands of patients were turned away, it became clear the NHS was acutely vulnerable to cyber attack. But why?
Five months on we have the answer. A report ( www. snipca.com/26061) from the National Audit Office (NAO), published in late October, found that NHS trusts hadn’t acted on warnings to upgrade their operating systems. In 2014, the Department of Health told trusts to develop “robust plans” to move on from Windows XP by 2015. But the report said there was no way for the Department to check whether NHS organisations had followed its advice.
In March and April 2017 NHS Digital issued “critical alerts” warning trusts to update their systems to fix the exact flaw that Wannacry exploited. An assessment of 88 trusts by NHS Digital before the attack found that none had the required cybersecurity standards.
The Department of Health had developed a plan for coping with a cyber-attack, but the NAO says it was never tested at a local level. So when Wannacry hit, hospitals and GP surgeries didn’t know how to respond. It was never obvious who was in charge.
Making matters worse, hospitals couldn’t contact national NHS bodies for help because their email systems were infected, though they did speak by phone. NHS staff were forced to share info via their phones, many using Whatsapp. Keith Mcneil, NHS chief clinical information officer for health and care, said “hard-working staff went the extra mile to provide patient care”.
Given these failings, it’s no surprise the NHS couldn’t cope. And yet in some respects it got lucky. Disruption at primary-care services, such as GP and dental surgeries, was restricted to Friday, because they tend to close at weekends. An attack in January, in the middle of the flu season, would have been more devastating.
But that will be scant consolation to the patients affected. NHS England estimates that around 19,500 appointments, including those involving 139 cancer patients, were cancelled. In five areas (London, Essex, Hertfordshire, Hampshire and Cumbria) hospitals turned away ambulances, forcing them to travel to other A&E departments.
The report acknowledges that no sensitive data was stolen, no patients were harmed, and no ransom was paid, but it still delivers a damning verdict. Sir Amyas Morse, comptroller and auditor-general of the NAO, said the attack could have
been prevented by “following basic IT security best practice”. He warned that there are “more sophisticated cyberthreats out there” and urged the Department and NHS “to get their act together to ensure the NHS is better protected”.
So what will the NHS do? Its priority is to implement all the security measures outlined by NHS Digital before the attack, such as applying security fixes. It also plans to strengthen hospitals’ firewalls. But this is merely playing catch up. Long term the NHS also needs a culture change to take cyber-security more seriously.
139 cancer patients had appointments cancelled, and others had to travel further to A&E