• London North West report says pressure to make ICT saving and deploy new technology increasing risk of cyber attack
  • Report suggests wider impact of cyber attack.
  • Two reports earlier this year warned the trust its PC security update management was “weak”.

Pressure on NHS IT budgets is increasing the risk from future cyberattacks according to a director at a major London trust infected by the WannaCry virus last month. 

The report from London North West Healthcare Trust interim informatics director Alan Brown also suggested the impact of the cyberattack was more widespread than previously reported. 

In a report to the trust board, Mr Brown said a focus on new technology, coupled with savings pressures, had come at the expense of preventative IT maintenance.

“The increasing pressure on ICT to deploy and support new technology at the expense of preventative maintenance, plus the request for further cost savings in the ICT service, is further increasing the risk of more attacks and the time it takes to respond and recover from them,” the report said.

London North West was one of at least 47 NHS trusts infected in a global ’WannaCry’ ransomware attack, that spread to more than 150 countries on 12 May.

London North West was not as severely disrupted as some trusts, such as Barts Health and Southport and Ormskirk, and isolated the spread of the infection to less than 10 machines.

However, it was still forced to shut down most of its IT systems, resulting in the cancellations of nearly 300 outpatient radiology appointments and impacting on neighbouring trusts reliant on its IT systems. London North West did not fully restore its IT systems until five days after the attack.

Mr Brown’s report also raised the possibility that the cyber attack had affected more NHS trusts than the one in five suggested by NHS England.

In a series of teleconferences and meetings between IT leaders at London trusts in the week following the attack, not one trust reported being “completely unaffected” by the attack, the report said.

Some trusts that were not infected were nevertheless disrupted, after shutting down IT systems as a precautionary move.

Like the rest of the NHS, the exact cause of infection at London North West was unknown, but an email with a malicious attachment or link sent to a staff member was considered likely responsible.

The virus also “clearly” gained access through PCs which had not received the latest Windows security updates, or patches, released by Microsoft in March specifically to close a vulnerability exploited by WannaCry.

Two separate reports produced for the trust earlier this year, including an external cyber audit, had highlighted “patch management” as a specific area of weakness.

“The lack of up-to-date patch management was clearly a cause of the infections that did take place and was a weakness in this area”, Mr Brown’s board report claimed.

He blamed “conflicting priorities and activities on the team” for this gap. The IT team had been drawn into new projects, without additional funding, ”leading to a reduced focus on routine activities such as preventative maintenance”.

In some instances, patches had also not been applied because the departments involved had not authorised the downtime of clinical systems required. Mr Brown also reported that some IT suppliers did not provide sufficient information about the “risk/security” of their systems.

A London North West spokesman said Mr Brown would shortly be leaving his interim role at the trust but this was completely unrelated to either the cyber attack or the report.

He was not able to provide further comment before publication.