A government investigation has lambasted the NHS for its poor response to the ‘relatively unsophisticated’ WannaCry ransomware attack and believes the NHS needs to get its act together to guard against future attacks.
The government investigation concluded that the NHS could have thwarted the WannaCry ransomware attack had it followed basic IT security best practices.
An investigation conducted by the National Audit Office on the WannaCry ransomware attack and its implications on NHS England has pulled up the organisation for failing to respond effectively to the attack that also struck many other organisations around the world.
A report released by the office includes the true number of NHS trusts, hospitals, and GP clinics that were impacted by the ransomware. These included 81 out of 236 trusts across England as well as 603 primary care and other NHS organisations, including 595 GP practices. The office estimates that as many as 19,000 appointments were cancelled as a result of the attack.
It adds that between 15 May and mid-September, NHS England identified a further 92 organisations, including 21 trusts, that were hit by the ransomware attack. 32 of the 37 NHS trusts that were effectively infected and locked out of devices were located in the North NHS Region and the Midlands & East NHS region.
This was despite the fact that the Cabinet Office and the Department asked all NHS trusts in 2014 to migrate away from old software, especially Windows XP, by April 2015. In March and April 2017, NHS Digital had also warned such trusts of future cyber-attacks and to patch their systems as quickly as possible.
It added that NHS England had no way of knowing the true impact of the WannaCry ransomware attack. ‘Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the fire accident and emergency departments that were unable to treat some patients,’ but the national and local NHS staff did work overtime to resolve problems and to prevent a fresh wave of organisations from being affected.
NHS Digital conceded to the National Audit Office that all NHS trusts and organisations impacted by the ransomware attack ‘had unpatched, or unsupported Windows operating systems’. However, the office concluded that had such organisations managed their Internet-facing firewalls, they would have guarded their systems against infection.
‘The fundamental question facing the NHS now is what actions to take. Does it focus on improving patient care, ensuring adequate staffing levels, and maintaining the essential physical infrastructure to meet immediate healthcare needs. Or, does it improve non-essential IT infrastructure that can always be replaced by good old fashioned pen and paper,’ says Thomas Fischer, threat researcher and global security advocate at Digital Guardian.
‘What is clear from reviewing this report, is that the NHS’s approach to IT management will have to change, one way or another. Two obvious areas to start would be improving user training and awareness of cybersecurity and ensuring that there is enough available infrastructure to allow systems to be upgraded or patched in a rolling schedule, without negatively impacting productivity,’ he adds.
In related news, Home Office Minister Ben Wallace has claimed that North Korea was behind the WannaCry attack in May that impacted several NHS trusts and other institutions.
‘This attack, we believe quite strongly that it came from a foreign state. North Korea was the state that we believe was involved this worldwide attack. It is widely believed in the community and across a number of countries that North Korea had taken this role,’ he told BBC Radio 4’s Today programme.
However, he added that Britain wouldn’t engage in a tit-for-tat operation because that would give North Korea an excuse to target the country’s other functions.
‘Other countries do have doctrines and military thinking along that line, but the West – the United States, Europe and the United Kingdom – are much more thoughtful about these things because, ultimately, if we were to take some action, we have to remember that some of these states may, as we have seen with this WannaCry, strike out at the rest of our functions,’ he said.