“Relatively simple action” could have stopped WannaCry attack

Stephen Chapman's picture

The National Audit Office has published its findings following the WannaCry ransomware attack on the NHS.

More than a third of NHS Trusts in the country were disrupted by the virus, with almost 7000 appointments cancelled.

In May, the Blackpool Clinical Commission Group stated that the attack began in Lancashire and quickly spread across the network. Those infected saw a screen which stated that the computer’s files had been encrypted and would be lost unless $300 of bitcoins were sent to a specific address.

In the National Audit Office report, Leeds-based NHS Digital said that every organisation infected shared the same vulnerability and could have taken “relatively simple action to protect themselves.”

The report also stated that NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, there was no formal mechanism to find out whether this had been done.

Before the attack, NHS Digital conducted on-site cyber security assessment for 88 of the 236 trusts. Not one passed.

"However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation,” it stated.

“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” said Amyas Morse, head of the National Audit Office.

NHS England said that no NHS organisation paid the ransom and no patient data was compromised or stolen.