NHS Ransomware Attack Could Have Been Avoided Says the National Audit Office

Philip Robinson by   10.30.2017   Ransomware

blog-img-nhs

To any of you following our blog this year (you can subscribe using the form to the left of you right now!), you know that we have reached this conclusion already. But now it has been confirmed by none other than the National Audit Office themselves; the “WannaCry” ransomware attack that crippled much of the NHS in the UK could have been avoided by following simple IT security best practices.

Back in May, a new strain of ransomware, nicknamed “WannaCry” effectively decimated parts of the national health service, with over 19500 appointments cancelled, computers at 600 GPs locked and five hospitals having to divert ambulances elsewhere.

Whilst it wasn’t surprising that the NHS would fall victim to an attack of this kind, the “relatively unsophisticated” nature of the ransomware itself only served to highlight the shortcomings of attitudes towards IT security. Many organizations over the globe are still not doing enough to protect themselves against these kinds of attacks.

Amyas Morse, the head of the NAO, said of the attack: “The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.The NHS needs to ensure that they are better protected against these kind of attacks, as it’s only a matter of time before a more intelligent cyber security threat comes along.

So, finally, the NAO has reached the conclusion we have been banging on about for a while now. It’s relatively simple in principle to defend yourself against these attacks! We’ve actually already written a blog with some best practices for securing your Active Directory. It’s worth taking a look at this if you haven’t already.

We now know that, as early as 2014, the Cabinat and the DoH (department of health) had both written to the NHS urging them that it was necessary for them to immediately move away from old software. However, perhaps even more telling, is that NHS Digital themselves issues numerous warnings that there were bugs in the Windows computers used by the NHS that needed to be fixed. It was these exact bugs that the WannaCry ransomware strain was able to take advantage of.

Before the attack ever took place, NHS Digital had undertaken a test to see just how prepared the NHS were to combat security breaches in their IT infrastructure. The results? Not a single health trust passed the test. Not a single one! This is a very damning indictment of the state of IT security in the modern world. There are simply not enough organizations that take the threat seriously.

Data breaches, whether caused by malicious attackers or careless insiders, can be extremely damaging to both the bottom line and reputation of the organization involved. Thankfully, there’s a simple answer to this problem. LepideAuditor is a simple, cost effective and scalable way of auditing Active Directory as well as File Server, Exchange, SQL, SharePoint and even Office 365. Download the free trial now to see how it can help you get visibility into critical changes taking place to systems, data and permissions.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.