NHS Lanarkshire Blames Missing Patch For WannaCry Impact

One of Scotland’s largest health boards failed to ensure that its IT systems were fully patched with a vital security update, which left it vulnerable to a widespread cyber attack.

NHS Lanarkshire had been one worst-hit health authorities in Scotland when the WannaCry ransomware wrecked havoc across the UK (and indeed the world) starting on May 12.

Eleven of Scotland’s 14 territorial health boards had been affected in that attack, and it forced NHS Lanarkshire (NHSL) to cancel 494 patient appointments and procedures at that time. But no data was lost or was unrecoverable.

The WannaCry malware caused disruption in May of this year

WannaCry Attack

And then in August NHS Lanarkshire confirmed that its IT systems and network had been infected again by a new variant of the Bitpaymer malware.

That ransomware attack in August led to 184 operations and doctors’ appointments being cancelled.

Ransomware encrypts data on the systems of those attacked and demands a payment to unlock the files. The WannaCry ransomware hit 150 countries in May, and typically demanded $300 (£230) in bitcoins to restore infected computers.

NHS Lanarkshire is Scotland’s third-largest health board and serves more than 650,000 people.

And now it has admitted in a ‘Significant Adverse Event Review Report‘ on the WannaCry attack, that its patching process had left it vulnerable, along with a couple of other issues.

This is despite the report stating that NHSL had recognised the increasing risk from cyber-attack back in 2015.

“While the malware affected many NHS organisations across England and Scotland, it had a significant impact on NHSL, with 1338 PCs affected in both acute and primary care settings,” the report said of the WannaCry attack in May.

“Over the course of the week following the incident, the infected PCs were either cleansed of virus on site or were replaced while cleansing took place. This was done on a prioritised basis, with additional IT support being provided by NHS Greater Glasgow and Clyde and NHS Ayrshire and Arran.”

What Went Wrong

The report found three main technical issues had led to NHS Lanarkshire being affected by WannaCry.

The first that while Microsoft had actually released a security patch in March 2017 that blocked WannaCry, it had only been deployed on GP servers, but “had not been rolled out due to ongoing testing and limited resources to deploy the patch sooner.”

The second issue was that unbelievably NHSL was still using 395 PCs that ran Windows XP – support for which had ended back in 2014.

Microsoft subsequently made a WannaCry patch available for XP systems.

NHSL said that a previous audit had incorrectly found there were no XP-running PCs, but in reality 190 of these PCs were still required to run XP as they were supporting medical devices which could not operate on more up to date software.

The third issue was that a configuration on desktop PCs called SMB version 1 was left on. The SMB configuration needed to be active in order for the Board’s laboratory system to operate effectively. The active SMB configuration was exploited by the malware to allow it to move across internal networks, said the report.

“As a result of these findings, the review team has concluded that there were major service issues that contributed to the event,” the report stated. “There were no significant adverse patient outcomes although there was the potential for major service implications.”

Do you know all about security in 2017? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Xbox Marketing Chief Leaves For Roblox

Microsoft loses Xbox marketing chief amidst executive changes in company's gaming division, broader layoffs and…

9 hours ago

YouTube Test Community ‘Notes’ Feature For Added Context

YouTube begins testing Notes feature that allows selected users to add contextual information to videos,…

9 hours ago

FTC Sues Adobe Over Hidden Fees, Termination ‘Resistance’

US regulator sues Photoshop maker Adobe over large, hidden termination fees, intentionally difficult cancellation process

10 hours ago

Tencent To Ban AI Avatars From Livestream Commerce

Chinese tech giant Tencent to ban AI hosts from livestream video platform as it looks…

10 hours ago

TikTok US Ban Appeal Gets 16 September Court Date

Action by TikTok, ByteDance and creators against US ban law gets 16 September hearing date,…

11 hours ago

US Surgeon General Calls For Warning Labels On Social Media

US surgeon general calls for cigarette-style warning labels to be shown on social media advising…

11 hours ago