The UK's National Health Service (NHS) could have prevented the unprecedented "WannaCry" malware outbreak earlier this year if it had applied basic IT procedures and heeded warnings from security experts to apply software upgrades, a government report stated Friday (27 October).
More than 300,000 computers in 150 countries were infected with the WannaCry "ransomware", which demanded money for an unlock code.
More than 19,000 medical appointments - including 139 potential cancer referrals - were cancelled when the NHS was locked out of computers on May 12.
For example, the Secretary of State for Health asked the National Data Guardian and the Care Quality Commission to undertake reviews of data security, with reports published in July 2016 that warned the Department of Health that cyber attacks could lead to patient information being lost or compromised.
The UK government has joined Microsoft in blaming North Korea for the WannaCry ransomware attack. These costs include: cancelled appointments; additional IT support provided by local NHS bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.
The NAO chief said the Department of Health and the NHS must now "get their act together".
The NAO report said there was no evidence that any NHS organisation paid the ransom - but the financial cost of the incident remained unknown. Hospitals and NHS Trusts in Barnsley, Hull, East Yorkshire, North Lincolnshire and Goole were also hit.
Sony announces the mid-range Xperia R1 and Xperia R1 Plus
Unfortunately, unlike some of Sony's more expensive devices, there aren't any front-facing speakers to be seen here. The smartphones sport a 13-megapixel rear camera with Sony Exmor sensor, Autofocus, 8X digital zoom and LED flash.
'In the digital age, it is abundantly clear that a 21st Century health service should have been far better prepared for a cyber-attack'.
The cyberattack could have caused more disruption had it not been stopped by a researcher who activated a "kill switch" that prevented WannaCry spreading.
To be fair, the Department of Health had developed a plan - it was just that it had not been properly communicated or tested in the NHS trusts.
Today's report reveals that the health department had been warned about the risks of cyber attacks on the NHS in July a year ago but although work to improve security had begun, there had been no formal written response until July 2017, two months after the attack.
WannaCry wasn't a particularly sophisticated attack and could have been prevented by NHS organisations patching their Windows operating systems, or by managing their Internet-facing firewalls more effectively.
Of course, all of this could have been avoided if security patches had been applied to protect the Windows 7 systems common throughout the NHS.
The NAO said the NHS has accepted that there are lessons to learn from WannaCry and is already taking action to improve the protection of services from future cyber attacks.
Sir Amyas Morse, the head of the NAO, said: "The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients".