Nearly 600 GP practices were affected by the NHS cyber attack, a recent National Audit Office (NAO) investigation has revealed.
NHS England was the victim of a ransomware cyber attack, known as WannaCry, the largest to ever affect the service on 12 May 2017.
The virus sent pop-up messages to NHS computers, requesting a $300 (around £230) ransom payment in exchange for access to the PCs.
As a result, patient records and emails were inaccessible and thousands of GP appointments were cancelled.
The NAO argues the attack was ‘relatively unsophisticated’ and could have been prevented, if the NHS had follow basic IT security practice.
Amyas Morse, head of the NAO, said: ‘There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.’
In 2015, health secretary Jeremy Hunt asked the Care Quality Commission (CQC) and the National Data Guardian to conduct a review of data security.
The reports, published the following year, warned the Department of Health (DH) about the risks of cyber attacks on the NHS and recommended NHS organisations to ensure they were doing the necessary to improve their cyber security.
But the DH failed to conduct checks assessing whether those organisations had followed advice and guidance.
The NAO reports said that the affected organisations could have also prevented the attack by taking simple actions.
It said: ‘They had unpatched, or unsupported Windows operating systems that were susceptible to the ransomware.
‘However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.’
A lesson for the future
Even if the ransom wasn’t paid and no patient data were compromised or stolen, the disruption led to costs due to cancelled appointments, additional IT support and data recovery.
Dan Taylor, NHS Digital’s head of security, said: ‘We welcome the outcome of this investigation which highlights some of the challenges we faced during the WannaCry incident and in our role to alert NHS organisations to known cyber security threats and advise them of appropriate steps to take to minimise risks.
‘We learned a lot from WannaCry and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.’