An investigation into the WannaCry cyberattack, which took place in May this year, has found that the NHS failed to implement crucial Microsoft software updates.
The report, released today by the UK’s National Audit office, said that in 2014 NHS trusts were told that it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015.
In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyberattack.
In total at least 81 out of 236 trusts across England were affected by the WannaCry ransomware, leading to over 19,000 cancelled appointments.
“The WannaCry cyberattack had potentially serious implications for the NHS and its ability to provide care to patients,” says Amyas Morse, head of the National Audit Office. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
At the time of the attack, Microsoft president and chief legal officer Brad Smith said that the governments of the world should treat this attack as a wake-up call.
“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he warned. “Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”