'Basic IT security' could have stopped NHS WannaCry hack

The National Audit Office (NAO) has led an investigation into NHS response to the WannaCry hack in May this year, which was the most widespread to hit the healthcare service.

According to investigation the the attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption.

The investigation also found out that the attack was actually a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice: in early 2014, the Department of Health and the Cabinet had written to NHS trusts, saying it was essential they had “robust plans” to migrate away from old software. In March and April 2017, NHS Digital issued critical alerts warning organisations to fix the exact bug in their Windows computers that later enabled WannaCry to rapidly spread.

Prior to the attack, NHS Digital also carried out on-site cyber security assessments at 88 health trusts in England, of which none passed, yet the organsitaion had no powers to force them to improve their systems.