Nearly 20,000 hospital appointments were cancelled earlier this year because the NHS failed to provide basic security against cyber attackers.
The National Audit Office said a cyber-attack which crippled a third of NHS hospitals in May could have easily been prevented. NHS officials said 47 trusts had been affected – but the NAO found that the impact was far greater, and in fact 81 were hit by the attack.
Sir Amyas Morse, the head of the NAO, last night warned health bosses to ‘get their act together’ to prevent attacks happening again. The Department of Health said that from next January hospitals will be subject to unannounced inspections of IT security.
But the report reveals hospitals could have acted far sooner, with officials warned repeatedly about the WannaCry virus before the attack, with ‘critical alerts’ sent out in March and April.
A cyber-attack which crippled a third of NHS hospitals in May could have easily been prevented, according to the National Audit Office (stock image)
When the attack came on May 12 it ripped through the out-of-date defences used by the NHS.
The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account.
Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. Doctors and nurses were locked out, meaning they had to rely on pen and paper, and crucial equipment such as MRI machines were also disabled by the attack.
The report reveals nearly 19,500 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals had to divert ambulances away at the peak of the crisis.
Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 – that had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.
Sir Amyas said: ‘It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
‘There are more sophisticated cyber threats out there than WannaCry so the Department of Health and the NHS need to get their act together to ensure the NHS is better protected against future attacks.’
Experts last night criticised the way the Government seemingly failed to prepare.
Meg Hillier, chairman of the Public Accounts Committee, said: ‘The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment.
‘Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.’
Jonathan Ashworth MP, Labour health spokesman, added: ‘This report reveals a catalogue of failures which needlessly left our NHS vulnerable and placed patient safety at risk.
When the attack came on May 12 it ripped through the out-of-date defences used by the NHS
‘In the digital age, it is abundantly clear that a 21st Century health service should have been far better prepared for a cyber-attack.’
But Dan Taylor, NHS Digital’s head of security, said WannaCry had been ‘an international attack on an unprecedented scale’ and the NHS had ‘responded admirably’.
He said: ‘Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services running and to get everything back to normal as swiftly as possible.’
Keith McNeil, the NHS’s chief clinical information officer for health and care, added: ‘As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.
‘Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.’
A Department of Health spokesman said: ‘The NHS has robust measures in place to protect against cyber-attack.
‘Since May we have taken further action to strengthen resilience and guard against future attack, including new, unannounced cyber security inspections by the Care Quality Commission, £21million in funding to improve resilience in trauma centres, and guidance for trusts.’