The UK’s National Health Service (NHS) could have easily escaped unscathed by the WannaCry contagion in May, had it taken several prior warnings seriously, according to a new report.
The National Audit Office has issued a report blaming England’s publicly-funded national healthcare system for ignoring security warnings ever since 2014 that it will find itself in hot water sooner or later with all the cyber attacks going on.
The Department of Health and Cabinet Office wrote to NHS trusts in 2014 urging them to instate “robust plans” to migrate from old, vulnerable software by April 2015.
Three years later, the NHS not only had not migrated away from Windows XP, it had “no formal mechanism for assessing whether local NHS organisations had complied with their guidance and whether they were prepared for a cyber attack,” according to NAO.
“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients,” said Amyas Morse, head of the National Audit Office, 27 October 2017.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” Morse continued. “There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The NAO report further notes that the NHS was warned about a potential cyber-attack a full year before WannaCry broke out.
“…although it had work underway it did not formally respond with a written report until July 2017,” the report reads.
Other key findings include:
- The attack led to disruption in at least 34% of trusts in England, but the costs remain unknown
- Thousands of appointments and operations were cancelled
- In five areas patients had to travel further to accident and emergency departments
- No NHS organization paid the ransom
- The Department had developed incident response plan, but had not tested the plan at a local level
- All organisations infected by WannaCry shared the same vulnerability and could have taken “relatively simple action” (such as managing their firewalls properly) to protect against a potential attack
IDC’s Health Insights predicts one in three healthcare records will be breached in 2018 because healthcare providers are not spending enough on security. And according to the FBI, the US healthcare industry loses between $74 billion and $246 billion (or 3% and 10% of healthcare expenditures) every year due to fraudulent billing.
Cybercriminals have a particular taste for the healthcare sector because it holds copious amounts of patient records that can be sold or used to commit fraud, and even extortion – as was the case with London Bridge Plastic Surgery.