A CYBER attack which crippled parts of the NHS in May could have been prevented if “basic IT security” measures had been taken, an independent investigation has found.
The head of the National Audit Office (NAO) warned the health service and Department of Health (DoH) to ‘get their act together’ in the wake of the WannaCry crisis which saw more than 300,000 computers in 150 countries infected with the WannaCry ransomware.
Sir Amyas Morse, the head of the NAO, said: ‘The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
‘It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
‘There are more sophisticated cyber threats out there than WannaCry so the Department (of Health) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.’
The NAO said that while the health service’s IT arm NHS Digital had issued ‘critical alerts’ about WannaCry in March and April, the DoH had ‘no formal mechanism’ to determine whether local NHS organisations had taken any action.
The malware is believed to have infected machines at 81 health trusts across England and computers at almost 600 GP surgeries with medical staff reporting seeing computers go down ‘one by one’ as the attack took hold, locking machines and demanding money to release data on them.
NHS Digital’s Head of Security Dan Taylor said WannaCry had been ‘an international attack on an unprecedented scale’ and the NHS had ‘responded admirably to the situation’.
He added: ‘Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.