This site is intended for health professionals only

Attack on NHS IT systems ‘could have been prevented’, NAO report finds

Attack on NHS IT systems ‘could have been prevented’, NAO report finds
By Carolyn Wickware
27 October 2017



An investigation into the WannaCry cyberattack on NHS computers found that it 'could have been prevented by the NHS following basic IT security best practice'.

The report from the National Audit Office found that the DH had been warned about the risks of a cyber attack on the NHS a year before the WannaCry attack and while it had a plan to respond to such an attack, it had not been tested at a local level.

Preventable attack

An investigation into the WannaCry cyberattack on NHS computers found that it 'could have been prevented by the NHS following basic IT security best practice'.

The report from the National Audit Office found that the DH had been warned about the risks of a cyber attack on the NHS a year before the WannaCry attack and while it had a plan to respond to such an attack, it had not been tested at a local level.

Preventable attack

The attack on Friday 12 May 2017 led to disruption in at least 34% of trusts in England, affecting least 81 out of 236 trusts along with 603 primary care organization, including 595 GP practices.

Amyas Morse, head of the National Audit Office, said: ‘It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

‘There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.’

Effect on patients

The report also found that thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.

NHS England identified 6,912 appointments had been cancelled but neither the DH nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients.

Director of development and operations at NHS Providers Ben Clacy, said: ‘Further attacks are inevitable so it is important that lessons are learned.’

He added: ‘A large majority of the affected trusts managed to carry on treating urgent and emergency patients through the weekend, and a few days after the attack only two were still diverting patients.

‘That tells us a lot about the commitment, resilience and resourcefulness of staff working under difficult conditions.’

Want news like this straight to your inbox?

Related articles