NHS cyber attack could have been prevented, report finds

A cyber attack which crippled parts of the NHS in May could have been prevented if basic IT security measures had been taken, an independent investigation has found.

A cyber attack which crippled parts of the NHS in May could have been prevented if basic IT security measures had been taken, an independent investigation has found.

Picture: Getty

The head of the National Audit Office (NAO) warned the health service and Department of Health (DH) to 'get their act together' in the wake of the WannaCry crisis, or risk suffering a more sophisticated and damaging future attack.

The NAO's probe found that almost 19,500 medical appointments, including 139 potential cancer referrals, were estimated to have been cancelled, with five hospitals having to divert ambulances away after being locked out of computers on 12 May.

The malware is believed to have infected machines at 81 health trusts across England – one third of the 236 total, plus computers at almost 600 GP surgeries, the NAO found.

All were running computer systems – the majority Windows 7 – that had not been updated to secure them against such attacks.

The NAO said that while the health service's IT arm NHS Digital had issued critical alerts about WannaCry in March and April, the DH had no formal mechanism to determine whether local NHS organisations had taken any action.


NAO comptroller and auditor general Sir Amyas Morse said: 'The WannaCry cyber attack was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

'There are more sophisticated cyber threats out there so the DH and the NHS need to get their act together to ensure the NHS is better protected against future attacks.'

More than 300,000 computers in 150 countries were infected with the WannaCry ransomware, including government agencies and global companies.

Emergency units had to divert ambulances away at the Royal London Hospital, Broomfield Hospital in Chelmsford, Essex; the Lister Hospital in Stevenage, Hertfordshire; Basingstoke Hospital in Hampshire and West Cumberland Hospital in Whitehaven, Cumbria.

Prior assessment

The NAO report revealed that, prior to the attack NHS Digital carried out an on-site cyber security assessment at 88 out of the 236 health trusts in England. None passed. However it had no powers to make them 'take remedial action even if it has concerns about the vulnerability of an organisation'.

The report also found:

  • The DH had been warned about the risks of cyber attacks on the NHS in July 2016 but although work to improve security had begun there was no formal written response until July 2017, two months after the attack.
  • The DH had developed a cyber attack response plan but had not tested it at a local level.
  • The NHS had not rehearsed for a national-level cyber attack, which led to leadership and communication problems when it struck.
  • NHS Digital does not believe that patient data was compromised or stolen.

NHS Digital head of security Dan Taylor said WannaCry said the NHS had 'responded admirably to the situation'.

'Staff pulled together'

He added: 'Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.

'We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.'

Keith McNeil, the NHS's chief clinical information officer for health and care, said: 'As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.

'Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.'

Further information

In other news


This is a free article for registered users

This article is not available as part of an institutional subscription. Why is this? You can register for free access.