‘Basic IT security’ would have halted NHS hack


The NHS and the Department of Health need to “get their act together” or risk more damaging cyber attacks on their computer systems, a new report has warned.

It comes from the head of the National Audit Office (NAO) after they carried out an independent investigation into a cyber attack that crippled parts of the NHS in England in May.

On Friday 12 May, hundreds of computers were infected with ransomware called WannaCry – leading to thousands of appointments being cancelled and A&E departments having to turn away ambulances.

It was the largest ever cyber attack on the health service, but the review found it could have been prevented if “basic IT security” measures had been taken.

Sir Amyas Morse, the head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

The NAO found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away. Computers at 81 health trusts across England – a third of the 236 total – were infected along with computers at almost 600 GP surgeries.

On the day of the cyber attack Albert Lechley was supposed to be getting vital medication to treat his myeloma, a type of bone marrow cancer.

He told Sky News he still can’t believe the disruption it caused.

“They didn’t know who you were and it wasn’t on the system what treatment you were supposed to be having,” Mr Lechley said.

“I knew more about my treatment than they did because their computers just could not handle it.”

While there had been warnings about potential cyber attacks on the NHS in July 2016 and in March and April 2017, software updates, or patches, which could have stopped the virus hadn’t been added to PC’s or hard drives which meant it was easy to exploit vulnerabilities in the systems.

Plans on how to deal with a cyber attack also had not been properly rehearsed.

Public Accounts Committee chair Meg Hillier also warned: “The NHS and the Department need to get serious about cyber security or the next incident could be far worse.”

In a statement the Department of Health said: “The NHS has robust measures in place to protect against cyberattack.

“Since May we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cyber security inspections by the Care Quality Commission, £21m in funding to improve resilience in trauma centres, and enhanced guidance for trusts.”

More than 300,000 computers in 150 countries were infected with the WannaCry ransomware.

It affected organisations from government agencies and global companies by targeting computers with outdated security.