Lackadaisical NHS trusts to blame for WannaCry ransomware compromise, concludes National Audit Office

Department of Health warned of rising IT security risks a year before WannaCry, but NHS trusts ignored advice, claims NAO

The National Audit Office (NAO) has pointed the primary finger of blame at lackadaisical NHS trusts for the spread of the WannaCry ransomware that affected at least 81 out of the 236 NHS trusts across England in May this year.

The ransomware also affected a further 603 primary care and other NHS organisations, including 595 GP surgeries.

A review into IT security across the NHS commissioned by the Secretary of State for Health had warned a year before that healthcare IT systems might be vulnerable to compromise.

That review had recommended that "all health and care organisations needed to provide evidence that they were taking action to improve cyber security, including moving off old operating systems," according to the NAO report published today.

But the report adds that "the Department and its arm's length bodies did not know whether local NHS organisations were prepared for a cyber attack".

The NAO makes clear that the NHS trusts and other decentralised organisations themselves, not the Department of Health, based in Whitehall, were primarily responsible for their IT security.

In particular, the Department of Health had repeatedly urged NHS trusts and other public-sector healthcare organisations to put in place "robust" migration plans to shift from the out-of-support Microsoft Windows XP operating system since 2014.

In addition, in March and April 2017 it had also "issued critical alerts warning organisations to patch their systems" with updates that would have prevented the spread of the WannaCry ransomware.

The NAO adds, though, that the Department of Health "had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance".

Prior to WannaCry, NHS Digital had conducted on-site IT security assessments covering just 88 out of 236 NHS trusts - but none had passed, notes the NAO.

"However, NHS Digital cannot mandate a local [NHS] body to take remedial action, even if it has concerns about the vulnerability of an organisation," the report adds.

The report adds that NHS Digital told the NAO that it doesn't have evidence to suggest that any patient data was compromised as a result of the attack.