Published: Sat, October 28, 2017
Hi-Tech | By Cory Rios

Government blames North Korea for 'WannaCry' cyberattack on NHS

Government blames North Korea for 'WannaCry' cyberattack on NHS

Over a third of trusts in England were hit by the cyber-attack, which affected more than 150 countries on the 12 May.

Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.

The report said NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.

"[WannaCry] was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice", NAO chief Amyas Morse said in the statement.

NHS Digital does not believe any patient data was affected or stolen.

Security researchers in the US and United Kingdom pointed their fingers at Pyongyang in the weeks following the attack, but Mr. Wallace's comments Friday mark the first time Britain has formally blamed WannaCry on North Korean hackers.

The Department of Health had reportedly developed a plan, which included "roles and responsibilities of national and local organisations for responding to a major cyberattack", but had not tested the plan at a local level, the report said.

Nearly 500 appointments and procedures were cancelled when its computers were infected by the WannaCry ransomware in May.

But the probe found that the Department of Health had warned the NHS about the risks of cyberattacks a year before the incident took place.

More news: Olivia Colman Cast as Claire Foy's Replacement in 'The Crown'

However, before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance. As a result, this meant that the NHS was not clear what actions it should take when it was hit with the WannaCry ransomware. Furthermore, there had been no rehearsals of a cyber-attack on the NHS, which meant understanding of who would lead the response was unclear, says the report.

The report adds that no hospital paid the required ransom, but that the total costs from the disruptions and cancellations were not known.

Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed.

Meg Hillier, chairman of the Public Accounts Committee, said: 'The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment.

Dan Taylor, NHS Digital's Head of Security, said WannaCry had been "an global attack on an unprecedented scale" and the NHS had "responded admirably to the situation".

The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan.

"The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients", the report reads.

Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 - that had not been updated to secure them against such attacks.

Like this: