Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • The UK government and NHS were unprepared for the WannaCry attack, as they had not shared and tested plans for responding to a cyberattack or passed cybersecurity inspections. — UK Committee of Public Accounts, 2018
  • The financial impact of WannaCry is still unknown, which is hindering the NHS’s ability to target its cybersecurity investments. — UK Committee of Public Accounts, 2018

Almost a year after the WannaCry ransomware attack took out banks, public transit systems, hospitals, and universities worldwide, several of the UK organizations hit have not adequately implemented cybersecurity practices that can prevent future threats, according to a Tuesday report from the UK’s Committee of Public Accounts.

WannaCry hit the UK’s National Health Service (NHS) particularly hard, affecting more than one third of NHS branches and leading the the cancellation of 20,000 hospital appointments and operations, as well as patients getting diverted from emergency rooms unable to treat them. Some hospitals did not return to normal operations for weeks, as reported by our sister site ZDNet.

“The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS,” committee chair Meg Hillier said in a statement on the report. “It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

SEE: Incident response policy (Tech Pro Research)

When any organization is hit with a cyberattack or uncovers a vulnerability, they must come up with a plan for recovery and patching and implement it quickly. Otherwise, they leave themselves extremely at risk for future attacks.

Before WannaCry, the NHS had failed to act on warnings to patch exposed systems that would have prevented the attack, Hillier said in the statement.

After the attack, NHS Digital completed on-site cybersecurity assessments at 200 NHS branches. All branches failed the assessment, the report found.

“We are told that this was because a high bar had been set for NHS providers to meet the required standard, but some of the trusts had failed the assessment purely because they had still not patched their systems–the main reason the NHS had been vulnerable to WannaCry,” the report stated. “There is also the risk that those organisations not infected by WannaCry, a relatively unsophisticated attack, become complacent and do not keep on top of their cyber security risks.”

Further, many healthcare branches do not have the means to update and protect systems without disruption patient care, the report found. A lack of qualified cybersecurity workers is part of the problem, the report noted: NHS Digital itself has fewer than 20 skilled cybersecurity professionals on staff.

The government still does not have an estimate of the financial impact of the WannaCry attack on the NHS, the report stated, which is impeding the ability to target cybersecurity investments. The department has been tasked with providing such an estimate by the end of June.

“This case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack,” Hillier said in the statement. “When it comes, the UK must be ready.”