The National Audit Office has reported that the NHS could have done more to prevent the recent WannaCry ransomware outbreak that brought the service to its knees. The outbreak, which saw 6,900 appointments cancelled, affected hospital and GP services across the UK.
An assessment of 88 out of 236 trusts conducted by NHS Digital prior to the attack, found that none
-
- passed the required cyber-security standards.
Perhaps equally as shocking is the Nation Audit Office report. It shows that plans were put in place by the Department for Health but, that rather embarrassingly, these were not communicated or tested within the NHS Trusts.
“Before 12 May 2017, the department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance.”
This must act as a serious wake-up call to an institution that we all rely on at some point during our lifetime.
The importance of Planning & Communication
The report points out that no ransom was paid and the NHS made a fairly speedy recovery. However, critics are quick to point out that had the breach happened during the winter, when the service is under the most pressure, the impact could have been much worse. That said, reputational damage and the trust we all place in the NHS’s systems has been shaken.
The attack highlights the importance of data back-up and having a robust planning mechanism in place so that information can be quickly restored should an attack happen.
It also shows the importance of having a robust security plan in place and ensuring that this is regularly reviewed to keep pace with increasingly sophisticated threats. Remember, this piece of Malware was not sophisticated and could have been prevented by simply following industry best practice.
It also shows that this is not just about investing in technology defences. It’s about communication and preparation. It’s all well and good having a plan, but if no-one is aware of it, it really won’t help when it needs to be actioned.
These types of threats are not going away. The only good news in this story is that no patient data was stolen…this time.