The Department of Health has been ordered to “get its act together” after an official report found the largest cyber attack in NHS history could have been prevented if “basic IT security” precautions had been taken.
The National Audit Office (NAO) report into the WannaCry cyber attack comes after Jeremy Hunt, the Health Secretary, had to deny claims made in the immediate aftermath of the hack that he had failed to provide proper investment in NHS cybersecurity.
The report compiled by Sir Amyas Morse, head of the NAO, found that every NHS organisation that succumbed to the WannaCry hack “could have taken relatively simple action to protect themselves”.
Instead WannaCry was allowed to disrupt at least 81 English health trusts, leading to the cancellation of an estimated 19,494 medical appointments, including 139 potential cancer referrals.
Sir Amyas said: “The WannaCry cyber attack was relatively unsophisticated and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there, so the Department of Health and the NHS need to get their act together to ensure the NHS is better protected.”
He was backed by the Shadow Health Secretary, Jon Ashworth, who said: “This report reveals a catalogue of failures.
“It is abundantly clear that a 21st century health service should have been far better prepared.
“Labour will prioritise NHS cybersecurity as part of our pledge to bring forward £10bn of capital funding. We will urgently upgrade IT systems and undertake crucial repairs to increasingly crumbling infrastructure.
“The Government must now outline as a matter of priority what action it is taking to keep patients safe. Complacency isn’t an option.”
In November 2016, six months before the attack, it was reported that at least seven NHS trusts had spent nothing at all on cybersecurity infrastructure in 2015.
In February, three months before WannaCry hit, Graham Cluley, a security researcher, had warned: “Hospitals are a particularly soft target because their IT systems are poorly funded and out of date. Without access to patient medical records, people might even die.”
The NAO report has now found that in July 2016, the National Data Guardian and the Care Quality Commission (CQC) had both warned the Department of Health that it needed to take action against cyber threats.
But, the report said, although work was being done to strengthen cybersecurity, the department didn’t publish its response to both organisations until July 2017, two months after the WannaCry attack and a full year after the warnings were first issued.
The NAO report also found that before WannaCry, there had been a series of other, smaller cyber attacks on the NHS.
But WannaCry was still able to affect at least 81 out of 236 English health trusts, causing computers to go down “one by one” and forcing A&E units to divert ambulances away at five hospitals.
“All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves,” the report concluded. “[They all] had unpatched or unsupported Windows operating systems.”
Some trusts were running the outdated Windows XP system that Microsoft had ceased to support. But, the report found, most of the infected NHS computers used Windows 7, which was still being supported by Microsoft.
This meant that most NHS trusts could have protected themselves by simply installing an update offered by Microsoft in March, two months before WannaCry hit, the report said.
NHS Digital had issued alerts on 17 March and 28 April asking trusts to apply the patch, but, the report said, it had no powers to force them to do so.
It did not even have the power to order remedial action after cybersecurity inspections failed all 88 of the trusts assessed before WannaCry hit.
“NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of that organisation,” the report noted.
The NHS had also failed to rehearse for a national-level cyber attack, the report found.
It said: “Before the WannaCry attack the Department [of Health] had developed a plan. However, the Department had not tested the plan at a local level.
“This meant the NHS was not clear what actions it should take. Without clear guidelines on responding to a national cyber attack, organisations reported the attack to different sources including the local police.”
Immediately after the WannaCry attack, there was widespread criticism of how in 2015 the Department of Health had decided against renewing a £5.5m contract with Microsoft that would have seen the US tech giant offer another year’s support to NHS trusts still using Windows XP.
The NAO report found that the Department of Health told trusts in 2014 that it was essential they had “robust plans” to stop relying on XP, but when WannaCry hit about 5 per cent of the NHS IT estate, including computers and medical equipment, was still using the old system.
The report added that WannaCry could have done more damage to the NHS had cyber researcher Marcus Hutchins not stopped it by activating a “kill switch”.
Keith McNeil, chief clinical information officer for health and care at NHS England, responded by saying: “As the report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.
“Tried and tested emergency plans were activated quickly and NHS staff went the extra mile to keep the impact on patients to a minimum.”
A Department of Health spokeswoman said: “The NHS has robust measures in place to protect against cyber attack. Since May we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cybersecurity inspections by the CQC, £21m in funding to improve resilience in trauma centres, and enhanced guidance for trusts.”
The Department of Health has consistently denied that lack of investment had anything to do with so many NHS Trusts falling victim to WannaCry.
Immediately after the attack, Mr Hunt said: “Although we did use some of the capital budget for revenue spending, the IT budget has been protected. In fact, the IT budget at the spending review in 2015 was increased substantially.
“We put £50m in to a new NHS cybersecurity centre, so this has been an area where, despite all the financial pressures on the NHS, we have been increasing spend.”
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies