WannaCry ransomware report: NHS is still not ready for the next big attack

"The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS," warn MPs.
Written by Danny Palmer, Senior Writer

Almost a year on from the WannaCry ransomware attack, both the government and the National Health Service are failing to implement the required cybersecurity measures to ensure the organisation doesn't suffer from similar onslaughts in future.

WannaCry quickly spread around the world last May, infecting systems all over the globe. The attack was indiscriminate, but the NHS became one of the most high profile victims of the attack.

Hospitals and clinics were forced offline and 20,000 appointments were cancelled. In some cases, systems didn't return to normal for weeks.

An investigation by MPs into the handling of the incident has called WannaCry "a wake-up call for the NHS" and says the health service and the government must do more to ensure systems are protected.

"The Department of Health and Social Care and its arm's-length bodies were unprepared for the relatively unsophisticated WannaCry attack," said the new report from the Public Accounts Committee.

The ability to invest in cyber security is also being hindered because the Department of Health "still does not know what financial impact the WannaCry cyber-attack had on the NHS," warn the MPs who set a deadline for June for an update of costed plans for "vital" cyber security investment.

"The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS," said Committee chair, Meg Hillier MP.

"It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.

"Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS," Hillier added.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

The Committee warns that at the time they were receiving evidence, "NHS Digital had completed on-site assessments to test cyber security and identify vulnerabilities at 200 trusts, although all trusts had failed the assessment".

WannaCry was powered by EternalBlue, a leaked NSA hacking tool which came to light in early 2017. Microsoft released a patch to protect against the Windows-targeting exploit and NHS Trusts across the country were urged to install the update in order to protect systems against a potential attack.

Despite this, many organisations didn't apply the patch and systems were subsequently infected by WannaCry - something which they would've been protected against if it had been applied.

NHS England and NHS Digital told MPs that the complexity and size of trusts' IT estates means they find patching systems difficult: "Patching can disrupt the use of medical equipment and present a clinical risk to patients, and applying a patch in one part of an IT system can cause disruption elsewhere in that system".

However, even the organisations that didn't apply the patch could have been protected if firewalls and network segmentation had been implemented, MPs were told.

A key message throughout the report is that the health service must take heed of mistakes made in the disjointed response to WannaCry - but the Department of Health admits there's still much more work to do.

"Every part of the NHS must be clear that it has learned the lessons of WannaCry. The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care," a spokesperson for the Department of Health and Social Care told ZDNet.

See also: This is how it feels to face a major cyber attack

The Department of Health has set aside an additional £200m for cybersecurity up to 2020, but the report warns the NHS faces a particular challenge with cyber security because, "NHS organisations, including local organisations, struggle to recruit and retain skilled cybersecurity staff".

Ultimately, with a skills shortage, cybersecurity professionals can earn higher salaries in the private sector, meaning the public sector struggles to attract and retain talent. That's a particular problem for government, especially, as MPs warn, another attack inevitably hits.

"Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cybersecurity for when, and not if, there is another attack," said the Committee.

In response to the report, the National Health Service said it has learned from WannaCry and is working to ensure future attacks can be better remedied.

"We welcome the recommendations of the committee and will continue to work with our partners across the NHS and Government to implement them," Dan Taylor, associate director of the Data Security Centre at NHS Digital told ZDNet.

"We learned a lot during WannaCry and have made significant progress in further expanding and improving our role, alerting NHS organisations to known cyber security threats and advising them of appropriate steps to take to minimise risks and the impact on essential front-line services," he added.


Editorial standards