Failures at local and Department level were responsible for the spread of the WannaCry ransomware virus in May this year, a government report has found.
According to the report, produced by the National Audit Office, all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware attack.
The Department of Health was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017. The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had "robust plans" to migrate away from old software, such as Windows XP by April 2015.
In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017 when the WannaCry attack took place, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack.
The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230 ($300).
The NAO report said there was no evidence that any NHS organisation paid the ransom - but the financial cost of the incident remained unknown. Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.
The report also established that the Department of Health had developed a plan for responding to a cyber attack, but had not tested the plan at a local level. As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.
Amyas Morse, head of the National Audit Office, said:
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
