NAO says DoH could have done more to prevent WannaCry

Chief government auditor says department and NHS ‘need to get their act together’ to improve protection against cyber attacks

Government’s chief auditor has criticised the Department of Health (DoH) for not doing enough in advance of the WannaCry ransomware attack that disrupted a third of England’s NHS trusts last May.

Mysterious hand reaching out of laptop screenThe National Audit Office (NAO) has published a report on the incident indicating that the DoH could have done more to protect the organisations, and that it has not been able to fully assess the level of disruption.

Furthermore, its chief official said the department and the NHS need to prepare more effectively for new threats in the cyber sphere.

Head of the NAO Amyas Morse said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Extent of disruption

Among the report’s key findings are that the attack on 12 May led to disruption in at least 81 out of England’s 236 NHS trusts, with many having to cancel patient appointments. While most managed to continue emergency treatment, some had to divert patients to other A&E departments and two needed outside help to continue treating patients.

In addition, 595 GP practices and eight other organisations were infected by the virus.

The DoH has not been able to establish how many could not access records or receive information because they shared data with an infected trust; although NHS Digital, which provides data and IT systems for NHS organisations, said it believes no patient data was compromised or stolen.

The main failing was in the preparations before the attack occurred. NHS Digital had identified that a continued reliance on Windows XP made organisations vulnerable, and issued critical alerts that they should patch their systems.

But it had no formal mechanism for assessing whether they had complied and if they were prepared for a cyber attack.

In addition, the DoH had developed a plan including roles and responsibilities for national and local organisations in responding to an attack, but had not tested it at local level. When the attack came, many local organisations could not communicate with national NHS bodies by email as they had been infected or shut down their email systems as a precaution. The communication that took place was largely by telephone and staff’s personal mobile devices.

Kill switch

A crucial step in ending the attack came when a cyber researcher activated a ‘kill switch’ to prevent WannaCry from locking more devices.

In the aftermath, NHS Digital told the NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Their reliance on unpatched or unsupported Windows XP left them susceptible to ransomware, and they had failed to manage their firewalls in a way that provided protection.

But the NHS has begun to take action, writing to every major health body asking boards to ensure they have implemented all alerts issued by NHS Digital between March and May of this year, and taken the essential steps to secure their firewalls.

It has also come to a new custom support agreement with Microsoft to provide patches and updates for all existing devices running on Windows XP, Windows Server 2003 and SQL 2005 – which are no longer supported on a standard basis by the company.

Photo: iStockphoto/Henrik Jonsson