UK.gov joins Microsoft in fingering North Korea for WannaCry

Critical Labour MP Meg Hillier

Basic security ‘would have stopped NHS cyber attack’ by David Wilcock Published

Wallace began by accepting a National Audit Office report that that the outbreak could have been prevented by the application of missed patches and adequate firewall defences by NHS Trusts.

Back in May worldwide release of the computer virus, which encrypts data on infected computers and demands a ransom payment to allow users access, triggered the largest cyber attack to affect the NHS in England.

The NAO's probe, release today, found that nearly 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on May 12.

"There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks".

The Department and Cabinet Office had written to trusts in 2014, saying it was essential they had "robust plans" to migrate away from old software, such as Windows XP by April 2015.

Sir Amyas said: 'It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

NHS organisations have not reported any cases of harm to patients or of their data being stolen as a result of WannaCry.

"Before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance". Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.


What's particularly surprising about the NAO report is that actions had been taken to better prepare the NHS for a cyber attack of this nature - but the Department of Health had been slow to respond to recommendations and there appears to be a significant lack of control around ensuring that the NHS responds to requirements.

Meg Hillier, chairman of the Public Accounts Committee, said: 'The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment.

Infected organisations had unpatched, or unsupported Windows operating systems making them susceptible to the ransomware, which spread with the help of a leaked computer exploit from the National Security Agency (NSA).

In response to the attack, NHS England and NHS Improvement - responsible for overseeing foundation trusts and NHS trusts - have written to every major health body in the United Kingdom asking for them to address NHS Digital warnings made between March and May of 2017.

A further cyber attack in August led to 184 cancelled appointments.

The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan.

Keith McNeil, chief clinical information officer for health and care at NHS England, said emergency plans were activated quickly and staff "went the extra mile" to provide care.

Latest News