NHS Cyber 'Wannacry' Attack Could Have Been Avoided With 'Basic' Security, NAO Says

'It was perfectly avoidable'.

The NHS could have avoided the huge cyber attack that led to thousands of appointments being cancelled if it followed “basic” security practice, a Government report has said.

The Wannacry attack hit 81 of the 236 local trusts in England, as well as 595 GP practices, despite the fact it was “relatively unsophisticated”, the National Audit Office (NAO) said in its report published on Friday.

Around 19,000 operations were cancelled, the NAO said, and one expert told HuffPost its report showed the attack was “perfectly avoidable”.

Five hospital trusts had to divert patients to other A&E departments, and another two needed outside help to continue treating patients.

Open Image Modal
Anthony Brett outside St Bartholomew's Hospital in London in May. He was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen due to the cyber attack
PA Wire/PA Images

The WannaCry virus locked people out of their computers and displayed a ransom message demanding money in exchange for the return of the data and records within it.

The NAO’s report noted the Department of Health had developed a plan to respond to an attack but failed to test it a local level and the NHS had not rehearsed its response at a national level.

This led to uncertainty as to who would lead the response, the NAO said, noting communications problems, as computers were brought down or shut down as a precaution, meant some NHS staff had to resort to WhatsApp on their personal phones.

The Department of Health had been warned about the threat from cyber attacks a year before and, though NHS Digital had urged NHS to download security patches for Windows software, it had not assessed whether they had complied.

Every trust that was hit was using an unpatched or unsupported version of Windows software, the NAO said.

Open Image Modal
The message that displayed on hacked computers
Twitter

Amyas Morse, head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Prof Alan Woodward, a computer science academic at the University of Surrey, said the NAO report showed the attack was “perfectly avoidable”.

He told HuffPost: “Probably the most worrying thing is the fact they did have a plan... It was put together by the centre and promulgated but nobody had practised it.

“It was a bit like having a fire drill and nobody ever practising it. If you get it off the shelf and dust it off when you want to use it then, not surprisingly, people don’t really know what some of it actually means who they’ve got to phone, communicate with.”

Open Image Modal
Patrick Ward from Dorset whose heart operation scheduled today was cancelled because of the attack
Lauren Hurley - PA Images via Getty Images

He added: “Everybody had been told [a cyber attack] was a real possibility the year before and the centre didn’t know whether the trusts were prepared or not.

“It shows there were lots of good intentions there but, as ever, when it came to implementation of it, it went spectacularly wrong.”

Ross Anderson, a computer scientist at the University of Cambridge, told HuffPost: “Even with unpatched systems, managing their firewalls properly
would have protected them.”

He added A&Es were wrong to turn away patients, saying: “You don’t need medical records to treat walk-in casualties and their procedures are designed to not need them.”

MP Meg Hillier, who chairs the Public Accounts Committee, said: “The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment.

Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.”

Shadow Health Secretary Jonathan Ashworth said the NAO report “reveals a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk”.

“In the digital age, it is abundantly clear that a 21 Century health service should have been far better prepared for a cyber attack,” he said. 

“The Government must now outline as a matter of priority what action it is taking to keep patients safe this winter and beyond. Complacency simply isn’t an option, and patients and staff deserve urgent reassurances that our NHS, and its sensitive data, is kept safe and secure.”

Keith McNeil, NHS England’s chief clinical information officer for health and care said:  “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen. 

“Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.”

The attack was global and the NHS was not its specific target. Though individual trusts had been hit before, it was the largest attack to hit the NHS in England to date.

A Department of Health spokeswoman said: “Since May we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cyber security inspections by the CQC, £21million in funding to improve resilience in trauma centres, and enhanced guidance for trusts.

“Wannacry was an international attack on an unprecedented scale, and staff worked incredibly hard to tackle it.”