NHS trusts across the country have only themselves to blame for the WannaCry ransomware outbreak in May because they failed to apply patches for Windows 7 that had been available for weeks, or to secure their firewalls accordingly.
That's according to NHS Digital, and the National Audit Office's official investigation into the WannaCry outbreak.
"All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves," concluded the NAO.
The report continues: "All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.
"However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
"NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems. Unsupported devices (those on XP) were in the minority of identified issues.
"NHS Digital has also confirmed that the ransomware spread via the internet, including through the N3 network (the broadband network connecting all NHS sites in England), but that there were no instances of the ransomware spreading via NHSmail (the NHS email system)."
Lessons identified by the Department of Health and NHS bodies included the following:
- Develop a response plan setting out what the NHS should do in the event of a cyber attack and establish clear roles and responsibilities for local and national NHS bodies, and the Department of Health;
- Ensure organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), apply software patches as a matter of urgency, and keep anti-virus software up-to-date;
- Ensure that essential communications can get through during an attack when systems are down; and,
- Ensure that organisations, boards and their staff take IT security risks seriously, understand the risks to front-line services as a result of cyber attacks and improve their resilience to cyber attack.
"Since WannaCry, NHS England and NHS Improvement have written to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls," claimed the NAO.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software