WannaCry Ransomware Attack That Crippled UK Hospitals Could Have Been Avoided With Basic IT Security

You might think that the massive number of security breaches that have happened in recent years would push corporate giants and medical facilities out there to take a look at their own security and ensure that their networks are protected. We are only a few months removed from the massive attack that breached Equifax and leaked the information on 143 million Americans into the wild. Now the UK's National Audit Office (NAO) is giving a postmortem following the WannaCry ransomware attacks that hit several hospitals in the country.


The ensuing investigation found incredibly lax security protecting the networks and determined that NHS had failed to follow basic IT security practices. The key findings of the investigation have been published.

According to these findings, the NHS had been warned about the potential risks of the cyber attacks a full year before the WannaCry outbreak and didn't respond to a formal written report until July of 2017. The WannaCry attack caused a disruption in 34% of trusts in England. On May 12 it was found that at least 81 out of 236 trusts across England had been infected by WannaCry ransomware. Another 603 primary care and NHS organizations were also affected along with 595 GP practices.

As a result of the attack, "thousands" of appointments in five areas had to be canceled leaving the people to travel further to get their medical treatment. The investigation found that 6,912 appointments had to be canceled that are known of, but there was no way to know how many GP appointments were canceled.

The WannaCry ransom wasn't paid by any part of the organization according to the National Crime Agency. There is no indication of just how much this attack cost in total between canceled appointments, IT support, and the cost of restoring data for affected systems. The report also points out that the attack would have caused even more disruption had it not been for the "kill switch" being activated by a researcher.

There was a plan in place at the national and local levels for this sort of issue, but that plan had never been tested at the local level. Perhaps the key finding in the report was that all organizations infected by WannaCry shared the same vulnerability and "relatively simple action" could have protected the networks and computers. The locations were running unpatched and unsupported versions of Microsoft Windows operating systems and the firewalls facing the internet weren't being managed. The final key finding in the report was that NHS has accepted that there are lessons to be learned by the WannaCry attack and is taking action. NHS still believes that no patient data was compromised or stolen in the attacks.