Concerns over NHS cyber attack

Critical Labour MP Meg Hillier

Basic security ‘would have stopped NHS cyber attack’ by David Wilcock Published

Security minister Ben Wallace appeared on BBC Radio4's flagship Today programme on Friday morning to blame North Korea for the infamous ransomware attack that disrupted the operation of one in three NHS Trusts in England as well as numerous other organisations worldwide.

The NAO's investigation said the cyber attack was the largest ever to affect the National Health Service (NHS), leading to the cancellation of thousands of appointments across the country.

"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice", said Sir Amyas Morse, the NAO's comptroller and auditor-general.

NHS Digital told the NAO that it believes no patient data were compromised or stolen.

The full scale of the incident saw over 19,000 medical appointments cancelled, according to the report, and computers at 600 surgeries shut down.

And while the report added that the Department had developed a plan, which included instructions on how organisations should respond to an attack, it went on to say that this plan had not been properly tested at a local level.

Between May 12 and May 18, the NAO said, NHS England collected some information on cancelled appointments, to help it manage the incident, but this did not include all types of appointment.

According to PharmaPhorum, no formal Department of Health (the government health ministry that oversees the health service) process was in place to assess whether NHS organisations had heeded the advice.

Meanwhile IT systems at the Cumberland Infirmary were also hit.

Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity.

The cyberattack could have caused more disruption had it not been stopped by a researcher who activated a "kill switch" that prevented WannaCry spreading.

Today's report reveals that the health department had been warned about the risks of cyber attacks on the NHS in July previous year but although work to improve security had begun, there had been no formal written response until July 2017, two months after the attack.

WannaCry infected over 200,000 computer systems across 150 countries within days of being unleashed in early May by exploiting a critical vulnerability affecting certain versions of Microsoft's Windows operating system.

Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 - that had not been updated to secure them against such attacks.

Part of the problem being that NHS Digital can not mandate a local body to take action even if it has concerns about the vulnerability of an organisation.

"The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients".

Care Quality Commission review finds that child mental health services are fragmented
Australian court disqualifies deputy PM for dual citizenship