Hospital Dr News

NAO: “We must better protect the NHS against future cyber attacks”

The NHS must follow basic IT security best practice if it wants to avoid being damaged by cyberattacks in the future.

A National Audit Office investigation into the ransom ware crisis back in May has warned that the government and some trusts did not do enough to protect themselves.

On Friday 12 May 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide.

It was to date the largest cyberattack to affect the NHS in England.

The investigation finds that the Department of Health failed to assess whether NHS organisations were prepared for an attack.

The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption.

On 12 May, NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware. In total at least 81 out of 236 trusts across England were affected.

A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices.

However, the Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust.

Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.

The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS.

Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.

The cyberattack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices.

The investigation found that the DoH had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level.

NHS Digital told the investigation that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.

Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.

Amyas Morse, head of the National Audit Office, said: “The WannaCry cyberattack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the DoH and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls.

Bookmark and Share

Post a Comment

Enter this security code

Submit Comment for Moderation