A series of systemic failures at the NHS and Department of Health exposed the service to serious levels of cyber-risk, allowing WannaCry to disrupt over a third of trusts in England with thousands of appointments and operations cancelled earlier this year, an official report has found.
In the damning new report, independent body the National Audit Office focused specifically on the health service and its patients.
It found that the DoH and Cabinet Office had written to trusts in 2014 saying it was essential they had “robust plans” in place to migrate from legacy platforms like XP. NHS Digital also issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry.
However, the department had “no formal mechanism” for assessing whether trusts had complied with the advice, the NAO discovered.
The DoH is also culpable in that although it had developed an incident response plan – including delineating roles and responsibilities of national and local organisations for responding to an attack – it hadn’t been tested at a local level.
That meant that when the ransomware hit, local organizations couldn’t communicate via email with national NHS bodies and staff had to resort to sharing info by phone and WhatsApp.
The whole mess led to disruption at 81 out of 236 trusts in England (34%) and infections at a further 603 primary care and other NHS organisations, including 595 GP practices.
The NHS isn’t even sure how many appointments and operations were cancelled. There are 6,912 that have been recorded but the figure is estimated much higher; at around 19,000. In five areas, patients had to travel further to A&E departments.
This lack of transparency also means that neither the department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five A&E departments that were unable to treat some patients.
There’s also no figure on how much the disruption caused the NHS.
The NAO warned the impact could have been far worse had Marcus Hutchins’ “kill switch” not been released to prevent WannaCry locking devices. It was also fortunate the attack happened on a Friday as primary care services usually close over the weekend, the report added.
“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients,” argued NAO boss Amyas Morse.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
NHS England has apparently written to all major health boards to ensure they have now applied patches and secured “local firewalls”.
However, there’s no word on whether the service, or the Department of Health, has taken concrete steps such as testing incident response plans and migrating to newer platforms, which would help mitigate risk in future.
The report also made no mention of the GDPR or NIS Directive, but after May next year regulators will take a dim view of such incidents – if patient data is made unavailable and systems are breached as a result of poor planning.
The NAO’s findings chime with a VMware survey of NHS IT managers in which 70% claim more needs to be spent on IT security.
Things could get even worse, with nearly a third of respondents claiming hackers have already infiltrated electronic patient data, 62% saying cyber-attacks could result in patients coming to harm, and 38% admitting their team lacks the skills to improve cybersecurity infrastructure and strategy.