The Courier & Advertiser (Fife Edition)
Ransomware and risks
WannaCry was the largest cyber attack to affect the NHS to date.
The Department of Health and NHS England “do not know the full extent of the disruption” caused by it.
All those affected by WannaCry ran “unpatched or unsupported Windows operating systems so were susceptible to the ransomware”, mostly running Windows 7.
They could have taken “relatively simple action to protect themselves”, NHS Digital told the investigation.
Prior to the attack, NHS Digital carried out an “on-site cyber security assessment” at 88 out of the 236 health trusts in England. None passed. However, it had no powers to make them “take remedial action even if it has concerns about the vulnerability of an organisation”.
The DoH and Cabinet Office wrote to NHS trusts in 2014, telling them to have “robust plans” to update older systems by April 2015, but some 5% of computers and machinery across the NHS were still using it in May 2017.
The DoH had been warned about the risks of cyber attacks on the NHS in July 2016, but although work to improve security had begun there was no formal written response until July 2017, two months after the attack.
The DoH had developed a cyber attack response plan but had not tested it at a local level.
The NHS had not rehearsed for a nationallevel cyber attack, which led to leadership and communication problems when it struck.
The WannaCry attack could have caused even more disruption if it had not been for cyber researcher Marcus Hutchins, who activated a “kill-switch”.
NHS Digital does not believe that patient data was compromised or stolen.
The DoH, NHS England and the National Crime Agency said that no ransom was paid by the NHS but the health department “does not know how much the disruption to services cost”.
Dan Taylor, NHS Digital’s head of security, said WannaCry had been “an international attack on an unprecedented scale” and the NHS had “responded admirably to the situation”.
Keith McNeil, the NHS’s chief clinical information officer for health and care, said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.”