NHS could have avoided WannaCry simply by patching Windows 7 or securing firewalls, claims NAO

"All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves"

NHS trusts across the country left themselves wide open to the WannaCry ransomware outbreak in May because they failed to apply patches for Windows 7 that had been available for two months.

That's according to NHS Digital and the National Audit Office's official investigation into the WannaCry outbreak.

"All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves," concluded the NAO.

The report continues: "All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.

"However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.

"NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems. Unsupported devices (those on XP) were in the minority of identified issues.

"NHS Digital has also confirmed that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), but that there were no instances of the ransomware spreading via NHSmail (the NHS email system)."

Lessons identified by the Department of Health and NHS bodies included the following:

• Develop a response plan setting out what the NHS should do in the event of a cyber attack and establish clear roles and responsibilities for local and national NHS bodies, and the Department of Health;
• Ensure organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), apply software patches as a matter of urgency, and keep anti-virus software up-to-date;
• Ensure that essential communications can get through during an attack when systems are down; and,
• Ensure that organisations, boards and their staff take IT security risks seriously, understand the risks to front-line services as a result of cyber attacks and improve their resilience to cyber attack.

"Since WannaCry, NHS England and NHS Improvement have written to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls," claimed the NAO.