NHS was crippled by “unsophisticated” cyber attack

Back in May of this year, the NHS was hit by a cyber attack that severely impacted at least 34% of trusts across England. A report emerging from the National Audit Office (NAO) has condemned preparations made by both the government and NHS national bodies to respond to a potential attack.

The report found that at least 81 trusts out of 236 trusts across England were affected, with a further 603 primary care organisations and 595 GP practices impacted.

The WannaCry virus was the largest cyber attack to hit the NHS to date and led to at least 6,900 NHS appointments being cancelled. It is estimated that a total number of 19,000 appointments may have been affected in some way due to the attack. Most worryingly, 139 people who potentially had cancer had their referrals cancelled.

Amyas Morse, Head of the National Audit Office, condemned preparations for this eventuality in strong terms:

"The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

The malware did not specifically target the NHS, as it spread through more than 150 countries and hit many large companies, including Nissan and MSD (known as Merck in North America).

The spread of the virus was eventually stopped by a British cyber security researcher, Marcus Hutchins, who registered the domain name that happened to be the kill switch for the malware.

However, NAO’s report suggests that it would have been simple for NHS services to protect themselves from the threat by simply updating the Windows operating system, which would patch against the malware.

NHS Digital had actually advised NHS trusts to do exactly this, in March and April of this year, but does not have the authority to compel them to take action when it sees fit.

Since the attack, there have been suggestions that the virus originated from North Korea and had been a test that was not expected to spread as rapidly as it did.