NHS Lanarkshire was 'vulnerable' to cyber-attack
A health board was vulnerable to a widespread cyber-attack because a vital security patch had not been fully rolled out, a report has revealed.
Almost 500 patient appointments and procedures were cancelled when NHS Lanarkshire computers were infected by the WannaCry ransomware in May.
It was one of the worst-hit health authorities in Scotland.
NHS Lanarkshire said it had taken "prompt and robust action" following the attack.
The health board was also hit by a further cyber-attack in August which led to 184 cancelled appointments.
The WannaCry ransomware, which affected about 150 countries in May, takes over users' files, demanding $300 (£230) to restore them.
- Massive cyber-attack hits 99 countries
- Who was hit by the NHS cyber-attack?
- Cyber-attack: Is my computer at risk?
A report released during a meeting of the NHS Lanarkshire health board on Wednesday has revealed the scale of the attack on the authority.
"While the malware affected many NHS organisations across England and Scotland, it had a significant impact on NHSL, with 1,338 PCs affected in both acute and primary care settings," the report said.
Microsoft released a security patch in March 2017 that blocked WannaCry.
The report noted this was being tested by the board's eHealth team at the time of the attack - and had been installed on some servers - but was not fully rolled out because of "ongoing testing and limited resources".
NHS Lanarkshire also has 395 PCs still using Windows XP, which had no security patch available at the time of the attack.
The report added: "Microsoft has subsequently made a WannaCry patch available for XP but in general XP remains unsupported.
"One hundred and ninety of these PCs were required to run XP as they were supporting medical devices which could not operate on more up to date software.
"Therefore, these PCs were particularly vulnerable."
This was despite an earlier audit which the report found had erroneously reported that no computers in NHS Lanarkshire were running Windows XP.
However, the report said no data was stolen during the incident and it is believed no data was "lost or unrecoverable".
IT teams were able to "cleanse" all infected PCs in the week following the incident.
The report also praised the "excellent teamwork" of staff involved in response to the incident and "excellent leadership" from NHS Lanarkshire's chief executive Calum Campbell.
Mr Campbell said: "Following the cyber attack in May we took prompt and robust action to improve the security of our IT systems, which helped limit the impact of the malware incident in August.
"We apologise to any patients affected by the May and August incidents. Our staff went above and beyond during these incidents to successfully minimise the inconvenience to patients and quickly restore our IT systems.
"The integrity of our patient data was maintained in both cases."
Mr Campbell added that NHS Lanarkshire was now "much better placed" to respond to future cyber threats.