‘Simple steps ‘ were available
Meg Hillier, chairman of the Commons Public Accounts Committee, said: “The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.
“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day. The NHS and the department need to get serious about cyber security or the next incident could be far worse.” health department had been warned about the risks of cyber attacks on the NHS in July last year but although work to improve security had begun, there had been no formal written response until July 2017, two months after the attack.
It also says that “on-site cyber security assessments” had been carried out at 88 out of the 236 health trusts in England before the attack but that none had passed.
However, the IT department had no powers to make them take action.
More than 300,000 computers in 150 countries were infected with the WannaCry “ransomware”, which demanded money for an unlock code.
No NHS organisation is thought to have paid the ransom.
The virus targeted computers with outdated security – the majority running versions of Windows 7 that had not been updated. At the time security experts warned the NHS that running such operating systems was a “ticking time bomb”, leaving it vulnerable to further attacks.
Shadow health secretary Jonathan Ashworth said the report revealed “a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk”.