The Courier & Advertiser (Fife Edition)
Cyber attack ‘could have been prevented by basic IT security measures’
Department of Health and NHS warned to ‘get their act together’ in wake of devastating WannaCry attack
A cyber attack which crippled parts of the NHS in May could have been prevented if “basic IT security” measures had been taken, an independent investigation has found.
The head of the National Audit Office (NAO) warned the health service and Department of Health (DoH) to “get their act together” in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.
The NAO’s probe, released today, found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on May 12.
The malware is believed to have infected machines at 81 health trusts across England – a third of the 236 total, plus computers at almost 600 GP surgeries, the NAO found.
All were running computer systems – the majority Windows 7 – that had not been updated to secure them against such attacks.
The NAO said that while the health service’s IT arm, NHS Digital, had issued “critical alerts” about WannaCry in March and April, the DoH had “no formal mechanism” to determine whether local NHS organisations had taken any action.
Sir Amyas Morse, the head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
More than 300,000 computers in 150 countries were infected with the WannaCry ransomware.
It crippled organisations from government agencies and global companies by targeting computers with outdated security.
At the time security experts warned the NHS that running outdated computer operating systems was a “ticking time bomb”, leaving it vulnerable to further attacks.
Medical staff reported seeing computers go down “one by one” as the attack took hold, locking machines and demanding money to release data on them.
Accident and emergency units had to divert ambulances away at the Royal London Hospital; Broomfield Hospital in Chelmsford, Essex; the Lister Hospital in Stevenage, Herts; Basingstoke Hospital in Hampshire; and West Cumberland Hospital in Whitehaven, Cumbria.
The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
SIR AMYAS MORSE