WannaCry ransomware attack on NHS was easily preventable

27 Oct 2017

NHS medical centre in Warrington, Cheshire. Image: Marbury/Shutterstock

The National Audit office found that cybersecurity standards were poor across all tested NHS trusts.

The WannaCry ransomware attack in May 2017 had a dramatic effect on the IT systems of the NHS in the UK, blocking access to files by encryption unless a ransom was paid.

A report released today (27 October) by the National Audit Office (NAO) shows the full extent of last summer’s incident, and NAO head Amyas Morse stated clearly that the NHS needs to do more to prevent future attacks having potentially devastating consequences.

An easily preventable attack

He said that the WannaCry attack was “relatively unsophisticated” and could have been prevented by the NHS by following basic IT security best practice. “There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

The UK department of health was warned about the risks of a cyberattack a year before WannaCry was even on the radar and although it had been working to upgrade security protocols, it didn’t formally respond with a written report until July 2017.

Warnings had been issued in 2014 about computers needing to migrate from old software such as Windows XP, and, in March and April 2017, NHS Digital issued critical alerts warning organisations to patch systems and prevent WannaCry. The department also had no formal mechanism for assessing whether local NHS organisations had complied with advice.

Simple actions were not taken

NHS Digital told the NAO that all organisations affected by WannaCry could have taken relatively simple actions to protect their systems: “Infected organisations had unpatched or unsupported Windows operating systems, so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.”

Overall, 81 NHS organisations were affected by the WannaCry attack and the UK department of health was unable to cost the impact of the incident, meaning the full extent of damage may never be discovered. At least 34pc of NHS trusts were affected and 6,912 appointments were confirmed to have been cancelled but estimates for total cancellations came in at a staggering 19,000.

No NHS organisation is known to have paid the ransom.

WannaCry was a ransomware worm that travelled from machine to machine directly, seeding itself across networks much like the ones in the NHS. Marcus Hutchins, a security researcher, is credited with finding and activating a ‘kill switch’ that prevented future infections from shutting down devices.

Even after the kill switch had been engaged, a further 92 organisations look to have been infected, and their continued operation was simply down to chance.

NHS medical centre in Warrington, Cheshire. Image: Marbury/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects