NHS Lanarkshire was left ‘vulnerable’ to WannaCry cyber attack disruption

  • 31 October 2017
NHS Lanarkshire was left ‘vulnerable’ to WannaCry cyber attack disruption
cyber attack health boards

An NHS trust in Scotland was left ‘vulnerable’ to cyber attack disruption because a  software update had not been installed.

Almost 500 patient appointments and procedures had to be cancelled when NHS Lanarkshire computers were infected by WannaCry in May.

A report into what happened has since been released and revealed how the attack had affected the trust, including affecting more than 1,300 PCs.

The internal report added that a number of computers were left ‘vulnerable’ due to their software.

The report stated: “Microsoft has subsequently made a WannaCry patch available for XP but in general XP remains unsupported.

“One hundred and ninety of these PCs were required to run XP as they were supporting medical devices which could not operate on more up-to-date software.

“Therefore, these PCs were particularly vulnerable.”

The trust was subsequently affected by a malware outbreak in August, as reported by Digital Health News.

Following the release of the report, Calum Campbell, chief executive of NHS Lanarkshire, said the impact of the cyber attack was ‘limited’.

He added: “Following the cyber attack in May we took prompt and robust action to improve the security of our IT systems, which helped limit the impact of the malware incident in August.

“We apologise to any patients affected by the May and August incidents.

“Our staff went above and beyond during these incidents to successfully minimise the inconvenience to patients and quickly restore our IT systems.”

“The integrity of our patient data was maintained in both cases.

“Every organisation throughout the world needs to recognise and prepare for future cyber threats of this kind.

“Our experience, detailed analysis and learning from both incidents along with robust actions to enhance our cyber security mean that NHS Lanarkshire is much better placed to meet and respond to these challenges.”

The WannaCry ransomware, which affected around 150 countries, takes over user files and demands £230 ($300) to restore them.

A National Audit Office (NAO) report into the May attack concluded that simple measures could have been taken to protect the NHS.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

How to equip NHS staff with cyber security skills they will use

How to equip NHS staff with cyber security skills they will use

Too often, cyber security training is a seen as a burden. But it is possible to make it relevant and useful, writes Nasser Arif.
Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside ICS selects cyber security platform

Cheshire and Merseyside Integrated Care System has selected a healthcare cyber security platform from Cynerio to strengthen its defences.
How to find your inner ‘cyber defender’

How to find your inner ‘cyber defender’

A "back to basics" and "honest" approach to personal cyber security can help NHS staff make larger improvements at work, writes Nasser Arif.

2 Comments

  • Well done NHS Lanarkshire. Believe this won’t happen again here.

  • I’d love to know whether the medical device suppliers should be blamed for forcing the NHS to use Windows XP machines, or whether those devices should also have been deemed unsupported. Or were unsupported and adequate equipment was not purchased.

    God, I hope MRI machines aren’t running on Windows XP….

Comments are closed.