The National Health Service (NHS) was left vulnerable to the WannaCry ransomware attack because, despite local health trusts being warned to patch their systems, many had failed to do so.
A National Audit Office (NAO) investigation into May’s global cyber-attack — which took down IT systems at many NHS organisations — has found that the impact of WannaCry could have been prevented if basic security best practice had been applied.
According to the NAO’s report, NHS Digital — the health service’s data and IT body — issued critical alerts throughout March and April warning organisations to patch their systems in order to prevent an event like WannaCry from happening.
In April, Microsoft released an emergency patch to protect against EternalBlue, a leaked NSA hacking tool which uses a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using worm-like capabilities.
It was this exploit which powered WannaCry and led to its quick proliferation onto networks around the world, including the NHS. An NHS spokesperson told ZDNet that the critical alerts to patch systems were issued in response to Microsoft updating software to protect against the exploit.
Previous advice issued in 2014 by the Department of Health and the Cabinet Office warned hospitals and GP surgeries that it was essential for them to have “robust plans” to migrate away from old software, such as Windows XP, by April 2015. Despite this, the older Microsoft operating system remained common within the NHS.
In total, one-third of NHS trusts in England were disrupted by the WannaCry attack: 81 of the 236 trusts across England were affected by the attack and 595 GP practices were also hit. None paid the ransom demanded by those behind WannaCry.
Locked out of systems by the file-encrypting malware, many NHS bodies had to resort to pen and paper and thousands of operations and appointments were cancelled.
“No harm was caused to patients and there were no incidents of patient data being compromised or stolen. Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum,” said Keith McNeil, chief clinical information officer for health and care at NHS England.
In some instances, it took weeks for services to fully recover and the NAO report says that the NHS still doesn’t know the full extent of the disruption — which could have been much worse if cybersecurity researcher Marcus Hutchins hadn’t discovered a WannaCry kill switch, which prevented the ransomware from spreading to more systems.
While the Department of Health is said to have developed a plan for responding to a large scale cyber-attack, it hadn’t been tested at local level, leading to confusion about who should lead the response to WannaCry.
In addition, email systems being taken down as a result of the attack meant those infected by the ransomware had problems communicating with national NHS bodies — eventually leading to communications being made via mobile devices and WhatsApp.
Ultimately, the report concludes that all organisations infected by WannaCry shared the same vulnerability and “simple action” could have been taken to prevent it by ensuring the correct patches and updates were in place. The NAO says there are lessons the NHS must learn from the incident.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” said Amyas Morse, head of the National Audit Office.
“There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The NHS says it will learn from the incident and is taking action to ensure a more effective response can be taken in the event of a similar attack in future. Response plans are said to have been sharpened and £21m in funding has been made available to increase the cyber-resilience of urgent and emergency care centres. “Essential action” has also been taken to secure local firewalls.
“We welcome the outcome of this investigation which highlights some of the challenges we faced during the WannaCry incident and in our role to alert NHS organisations to known cyber security threats and advise them of appropriate steps to take to minimise risks,” said Dan Taylor NHS Digital’s head of security.
“We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.”
While most services have returned to normal, London’s Barts Health NHS Trust is still cancelling some appointments and operations in order to “run all services safely”.
Factories, businesses and governments around the world are coming to terms with the largest ransomware attack observed in history.
Some ransomware sellers are now pocketing salaries of over $100,000 a year.