Last updated: 22.11.17

Security and auditing lessons to learn from the NHS cyber attack

On May 12th 2017, the NHS was hit by the most serious cyber attack to ever affect the health service in England, with systems up and down the country taken out of commission by the so-called "WannaCry" virus.

Although the impact of the ransomware attack was global, with organisations in more than 150 nations affected, it was the impact on the NHS that generated the most coverage in the UK - not only because of the disruptions it caused to patient care, but also because of the subsequent discovery that the damage to this vital public service was largely avoidable.

The NHS is still working to learn and implement the lessons from this incident, but organisations from every sector should also be looking at the attack as a cautionary tale of the importance of proper security and auditing procedures, and investing in compliance training to ensure that they do not make the same mistakes.

How did security failings contribute to the WannaCry attack?

The impact of the WannaCry incident was wide-ranging and highly damaging, with disruption affecting at least 34 per cent of NHS trusts in England. A report from the National Audit Office (NAO) examining the situation estimated that around 19,000 appointments had to be cancelled, with patients in five areas having to travel great distances for emergency care due to local services being taken out of commission.

It's still unknown exactly how much the attack cost the publicly-funded service, but the amount spent rescheduling appointments, sourcing IT support and restoring the affected data and systems is likely to have been considerable - and could have been more, had a cyber researcher not been able to activate a kill switch to shut WannaCry down.

The NAO's report was quick to point out that NHS security failings were responsible for the malware spreading as far as it did, as all of the affected trusts were running unpatched or unsupported versions of Windows that were susceptible to the ransomware, and had not set up their firewalls properly to offer the necessary protection.

This is particularly damning given that the Department of Health had been specifically warned about the risks of cyber attacks on the NHS a year before WannaCry, but had not taken any formal action to assess whether all hospitals had made the requisite security updates. Additionally, the intended action plan for responding to a national cyber attack had not been tested properly, meaning it was not immediately clear who should lead the response - resulting in significant problems with communications.

What can other organisations learn from this?

NAO head Amyas Morse said: "It was a relatively unsophisticated attack, and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

The high-profile nature of WannaCry and the damage it caused means that Mr Morse's advice should be heeded by organisations working across all industries. Continuing to run systems with dangerously outdated software can leave critical systems open to all sorts of attackers, and a lack of proper planning when it comes to responding to such an attack can result in the damage spreading at a rapid pace.

As such, it's essential for any organisation that depends on an IT system - from small businesses through to nationwide public services - to invest in a proper auditing system and compliance training for staff. This must ensure that everyone involved shares the same commitment to proper security standards, and are working towards a shared definition of how to achieve them. Failing to learn the lessons of the WannaCry attack means dooming your organisation to repeat its consequences.

Summary: A report has shown that the cyber attack on the NHS in May could have been prevented by basic security improvements and auditing tools - meaning that organisations from all sectors have something to learn from the incident.


Related resources