An NHS trust in Scotland was left ‘vulnerable’ to cyber attack disruption because a software update had not been installed.
Almost 500 patient appointments and procedures had to be cancelled when NHS Lanarkshire computers were infected by WannaCry in May.
A report into what happened has since been released and revealed how the attack had affected the trust, including affecting more than 1,300 PCs.
The internal report added that a number of computers were left ‘vulnerable’ due to their software.
The report stated: “Microsoft has subsequently made a WannaCry patch available for XP but in general XP remains unsupported.
“One hundred and ninety of these PCs were required to run XP as they were supporting medical devices which could not operate on more up-to-date software.
“Therefore, these PCs were particularly vulnerable.”
The trust was subsequently affected by a malware outbreak in August, as reported by Digital Health News.
Following the release of the report, Calum Campbell, chief executive of NHS Lanarkshire, said the impact of the cyber attack was ‘limited’.
He added: “Following the cyber attack in May we took prompt and robust action to improve the security of our IT systems, which helped limit the impact of the malware incident in August.
“We apologise to any patients affected by the May and August incidents.
“Our staff went above and beyond during these incidents to successfully minimise the inconvenience to patients and quickly restore our IT systems.”
“The integrity of our patient data was maintained in both cases.
“Every organisation throughout the world needs to recognise and prepare for future cyber threats of this kind.
“Our experience, detailed analysis and learning from both incidents along with robust actions to enhance our cyber security mean that NHS Lanarkshire is much better placed to meet and respond to these challenges.”
The WannaCry ransomware, which affected around 150 countries, takes over user files and demands £230 ($300) to restore them.
A National Audit Office (NAO) report into the May attack concluded that simple measures could have been taken to protect the NHS.