The WannaCry cyber attack impacted health services in May 2017. The serious vulnerabilities and systemic failures were detected at the NHS and Department of Health that could not prevent health services in England from interruption.
An independent organization the National Audit Office (NAO) investigated the incident focused on the health service and its patients.
The organization found that the DoH and Cabinet Office informed trusts in 2014 about their “robust plans”. NHS Digital also announced critical alerts to prevent the attacks and patch the vulnerabilities that the WannaCry malware exposed.
Unfortunately, NAO revealed that the Department of Health had no formal mechanism in order to evaluate if trusts had followed the advisement.
Even though the DoH had established a response plan, it is also blamed.
When the ransomware hit, local institutions weren’t able to communicate with national NHS organizations via emails. The whole attack led to interruptions of over 30% of trusts and compromises 603 primary health care and NHS organizations including 595 GP practices.
The NHS still is not sure how many operations and appointments were disrupted and canceled due to the cyber attack. There are known to be about 6,912 recorded incidents but the estimated number is approximately 19,000.
The lack of transparency could mean that the Health Department and NHS England do not know the number of these GP appointments that were disrupted and canceled, or the number of ambulances and patients that were distracted from the five A&E departments.
The overall figure of the WannaCry impact to NHS is also unknown.
The NAO indicated that the impact could have been far worse.
It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.
Apparently, NHS England made sure that major health boards applied patches for vulnerabilities and secured “local firewalls”. However, it is unknown if the Department of Health has applied any security solutions in order to prevent similar threats in the future.
What is more, the NAO’s provided information comes along with VMware research. Researchers at VMware surveyed NHS IT managers and found that about 70% indicated that it is necessary to invest more in IT security.
What is even worse, almost a third of surveyed IT managers noted that attackers have infiltrated e-patient data, and 62% of respondents said that cyber attacks could have a negative impact on patients.