‘Basic IT security’ in the NHS could have prevented damage from WannaCry cyber attack

The NHS was left devastated in May 2017 when hackers took control of computer systems, locking data and blocking access until a ransom was paid. 

The disruption, affecting 81 NHS trusts and causing the cancellation of thousands of patient appointments across the country, was caused by a global ransomware attack known as WannaCry. 

The National Audit Office (NAO) today published the findings of its investigation into the attack. Its report says that the Department of Health (DoH) was “warned about the risks of cyber attacks on the NHS a year before WannaCry”. It also says that work was being undertaken in response to the warnings but that a formal written report was not published until July 2017, two months after the attack.

NHS Digital ‘broadcasting alerts about cyber threats’ 

According to the NAO report, before the attack, the DoH had begun work to strengthen cyber security. A finding from an NHS Digital assessment before the attack found that all 88 trusts assessed had not passed the required cyber security standards. As a result, NHS Digital was broadcasting alerts about cyber threats, had a hotline available should an incident occur and was carrying out on-site assessments to help protect against future cyber attacks. 

Despite the work that was being undertaken, it was not known whether local NHS organisations were fully prepared for an attack. 

In light of the increasing threats facing healthcare organisations, providing a baseline level of cyber security and staff awareness is essential to operational continuity in an increasingly digitised NHS.  

Cyber Essentials 

Cyber Essentials is a government-backed cyber security certification scheme that sets out a good baseline of cyber security and, when implemented correctly, can prevent about 80% of cyber attacks.  

As a leading CREST-accredited certification body, IT Governance offers three fixed-price solutions to support certification to either Cyber Essential or Cyber Essentials Plus. The Do It Yourself, Get A Little Help, and Get A Lot Of Help packages use your internal expertise to provide a solution based on your organisation’s needs.

More information on Cyber Essentials solutions >> 

Staff training 

When organisations look to initiate a compliance programme or implement a management system, the ‘people’ factor is often overlooked. With the ‘human’ factor among the key vulnerabilities to cyber attacks, it is imperative that staff awareness and training programmes are in place to ensure new initiatives are completely integrated.  

IT Governance has an extensive suite of tools and training materials to help you set up your staff awareness programme. Our training offers customisable reading material, e-learning courses, in-house and classroom training, or a full-service security awareness programme to suit organisations of any security maturity.  

More information on staff awareness solutions >>