The NHS was hit by a massive ransomware attack named "WannaCry" because of "basic" security failings that simple industry practices should have addressed, a scathing official report has concluded.
The report, from the National Audit Office (NAO), said one in three NHS trusts were hit by the cyberattack in May, which locked up affected computers and demanded a ransom in order to restore them. Five accident and emergency wards had to redirect patients, and hundreds of hospitals and GP clinics were hit by the attack.
The report criticised the NHS's chaotic approach to tackling the attack, saying that despite the NHS having a national plan to tackle such threats, there was not much understanding of it on the ground.
"As the NHS had not rehearsed for a national cyberattack it was not immediately clear who should lead the response and there were problems with communications," it noted.
"Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution … Locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application."
However, the NAO said the attack was "relatively unsophisticated" and should have been prevented. It said basic practices like keeping software patched and running effective firewalls would have stopped much of WannaCry's spread, and also criticised the NHS's response as the crisis unfolded, saying many NHS trusts were unable to contact national bodies for help – because their email systems were down.
“The WannaCry cyberattack had potentially serious implications for the NHS and its ability to provide care to patients," said NAO head Amyas Morse. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
"There are more sophisticated cyber threats out there than WannaCry so the [Department of Health] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The report said no NHS trust had paid the ransom the attack demanded, but said it could not quantify the cost of the attack on the NHS's finances. It did, however, find the attack affected at least 81 of NHS England's 236 trusts, led to at least 6,912 direct appointment cancellations and a total of 19,000 cancelled appointments and operations – as well as causing ambulances in areas across the country to be diverted. Patients had to be diverted away from five A&E departments, in London, Essex, Hertfordshire, Hampshire and Cumbria.
The NAO report also praised the work of Marcus Hutchins, the security researcher who found the "kill switch" for the malware, which prevented its spread – who was subsequently arrested in the US on an unrelated matter after attending a security conference.
Hutchins' efforts, the report concluded, had prevented the attack causing "more disruption". The report further noted the NHS's "recovery was helped by the work of the cyber security researcher that stopped WannaCry spreading".
Hutchins remains on bail in the US, after his arrest in August in connection with alleged hacking offences. He denies all charges.