NHS and Government to Blame for WannaCry, Says NAO

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A series of systemic failures at the NHS and Department of Health exposed the service to serious levels of cyber-risk, allowing WannaCry to disrupt over a third of trusts in England with thousands of appointments and operations cancelled earlier this year, an official report has found.

In the damning new report, independent body the National Audit Office focused specifically on the health service and its patients.

It found that the DoH and Cabinet Office had written to trusts in 2014 saying it was essential they had “robust plans” in place to migrate from legacy platforms like XP. NHS Digital also issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry.

However, the department had “no formal mechanism” for assessing whether trusts had complied with the advice, the NAO discovered.

The DoH is also culpable in that although it had developed an incident response plan – including delineating roles and responsibilities of national and local organisations for responding to an attack – it hadn’t been tested at a local level.

That meant that when the ransomware hit, local organizations couldn’t communicate via email with national NHS bodies and staff had to resort to sharing info by phone and WhatsApp.

The whole mess led to disruption at 81 out of 236 trusts in England (34%) and infections at a further 603 primary care and other NHS organisations, including 595 GP practices.

The NHS isn’t even sure how many appointments and operations were cancelled. There are 6,912 that have been recorded but the figure is estimated much higher; at around 19,000. In five areas, patients had to travel further to A&E departments.

This lack of transparency also means that neither the department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five A&E departments that were unable to treat some patients.

There’s also no figure on how much the disruption caused the NHS.

The NAO warned the impact could have been far worse had Marcus Hutchins’ “kill switch” not been released to prevent WannaCry locking devices. It was also fortunate the attack happened on a Friday as primary care services usually close over the weekend, the report added.

“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients,” argued NAO boss Amyas Morse.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

NHS England has apparently written to all major health boards to ensure they have now applied patches and secured “local firewalls”.

However, there’s no word on whether the service, or the Department of Health, has taken concrete steps such as testing incident response plans and migrating to newer platforms, which would help mitigate risk in future.

The report also made no mention of the GDPR or NIS Directive, but after May next year regulators will take a dim view of such incidents – if patient data is made unavailable and systems are breached as a result of poor planning.

The NAO’s findings chime with a VMware survey of NHS IT managers in which 70% claim more needs to be spent on IT security.

Things could get even worse, with nearly a third of respondents claiming hackers have already infiltrated electronic patient data, 62% saying cyber-attacks could result in patients coming to harm, and 38% admitting their team lacks the skills to improve cybersecurity infrastructure and strategy.
 

ElectricSheep

Level 14
Verified
Top Poster
Well-known
Aug 31, 2014
655
A lot is probably down to the state of the NHS itself, burdened by "health tourists" who come to this country, get treatment and disappear back home without paying what they're supposed to pay - its free BUT only to resident nationals! Plus many other factors such as government cuts, overpaid managers and underpaid nursing staff... The list goes on and on... :(

Oh and many trusts are millions in the red.
 
  • Like
Reactions: Weebarra and XhenEd

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top