The UK’s National Health Service failed to follow basic IT security practices, gravely costing them when WannaCry hit the internet:

The UK’s National Health Service is spending £20m on a new security operations centre to improve its ability to help local NHS organisations respond to ransomware and other cyber security threats.

A subsequent review found that had UK security researcher Marcus Hutchins not found a ‘kill switch’ for WannaCry within days of the initial outbreak, a further 21 trusts – totaling 92 NHS organisations – could have experienced disruptions too.

As part of the project, NHS Digital is inviting private sector to bid for a three to five year contract to support its new security responsibilities.

The National Audit Office released the findings of a review of WannaCry’s impact on NHS last month that found the malware was preventable if the NHS had followed “Basic IT security best practice”.

The audit also found shortcomings in NHS incident response plans, which covered roles and responsibilities of national and local organisations, but had not been tested with local NHS organisations.

Most, not all, breached organizations failed to follow some basic IT security best practice or were complacent in applying operating system and application security patches. Cyber security is not rocket science – it takes a systematic, methodical strategy, and can be done well, but it requires laser focus and a corporate culture of understanding risk and demanding these security lapses do not happen.