Halt hackers now, NHS told
THE NHS has been ordered to “get its act together” or risk another cyber attack like the Wannacry ransomware breach which crippled the health service in May.
An investigation into the cyber attack by the National Audit Office found that NHS groups had been warned as early as 2014 that their systems were vulnerable to hackers.
In the months preceding the attack, NHS digital had issued “critical alerts” about the Wannacry virus, urging IT departments to update their online security systems.
The report, which is released today, found that almost 19,500 medical appointments, including 139 potential cancer referrals, were probably cancelled, with five hospitals forced to divert ambulances away after being locked out of computers on May 12.
NHS Providers, which represents hospitals, warned that further attacks were “inevitable”, while the head of the audit office said the health service must improve its resilience or it would suffer
a more sophisticated and damaging breach. The Wannacry virus “was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice”, said Sir Amyas Morse, the NAO auditor general. “There are more sophisticated cyber threats out there so the Department of Health and the NHS need to get their act together to ensure the NHS is better protected.”
The Wannacry attack was the largest faced by the NHS to date, infecting computers at 81 health trusts across England – a third of the 236 total, as well as almost 600 GP surgeries.
All were running computer systems – the majority Windows 7 – that had not been updated with anti-virus software even though security experts had said outdated systems were “a ticking timebomb”. On the day of the attack, medical staff reported seeing computers go down “one by one” as the virus took hold, locking machines and demanding money to release data. Accident and emergency units had to divert ambulances away from a number of hospitals.
The report said the attack could have caused more disruption had it not been for Marcus Hutchins, a cyber researcher who activated a “kill switch”.
The NAO said that while NHS Digital, the health service’s IT arm, had issued “critical alerts” about Wannacry in March and April, the Department of Health had “no formal mechanism” to determine whether local NHS organisations had taken any action. NHS Digital had carried out on-site cyber security assessments at 88 health trusts. None passed, yet the organisation had no powers to censure them.
Jonathan Ashworth, the shadow health secretary, said the report revealed “a catalogue of failures” which placed patient safety at risk.
Dan Taylor, NHS Digital’s head of security, said: “We learnt a lot from Wannacry and are working closely with our colleagues in other national bodies to listen, learn and offer support and services to front-line organisations.”