The global WannaCry attack in May hit a third of English NHS Trusts; according to a report released last week by the National Audit Office (NAO), it could have been prevented. The cyber-attack was a blow to the NHS’ reputation, with reportedly 6,900 appointments cancelled, but the impact was felt by up to 19,000 appointments.
According to the NAO report, the Department of Health and the Cabinet Office warned Trusts as far back as 2014, to ensure that they completed patches and migrated away from older software to mitigate risks. Despite these warnings, Trusts did not act on critical NHS Digital alerts.
NHS critical assets
WannaCry spread across 150 countries, but made headlines in the UK due to its extensive spread across NHS England. Branded a fairly unsophisticated attack, WannaCry highlighted a major flaw in the NHS IT environments.
With the NHS focus on becoming more productive and efficient by utilising IT applications and infrastructure, this was a wakeup call for Trusts to put in place an ongoing programme to protect their critical assets.
The NAO report identified an assessment by NHS Digital of 88 Trusts (out of 236 Trusts) conducted before the attack, which found that none met the required cyber security standards.
Gaps in patch management was one of the major issues that the NAO identified. Due to time and resource constraints, updates were regularly missed.
The NHS praised staff for their quick response to overcome the attack, yet the report highlights that more should have be done to proactively prevent this attack, rather than rely on a reactive response. BDS Solutions’ believes patch updates should be an integral part of IT management.
From experience, we work with a number of NHS Trusts and the take up of our patch management service, as an add-on to Directory Manager, is on the increase. The attack has raised the awareness of the importance of considering updates, as a fundamental part of risk management.
The NHS needs to ensure it protects itself for the next attack. Cyber-attacks are gaining in sophistication and the NHS needs to take the May attack as a warning. The Trusts that were hit were lucky, patient data was not lost or compromised, but next time they might not be so fortunate.
Putting in a place a robust plan that is adopted by all Trusts is essential. As is, ensuring patches that have been designed to protect against the latest security threats are implemented in a timely way. Only then, can the NHS be confident that the risks of cyber-crime are managed to the best of their abilities.