Will the NHS learn the right lessons from the WannaCry crisis?

‘The Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks’, warns the National Audit Office

Posted 31 October 2017 by Gary Flood

The May WannaCry cyber attack that took down so much as one in three of all English Trusts to the extent it did mainly because of lack of security preparation by both the Department of Health (DoH) NHS staff themselves.

And even now, months later, the full extent of the damage still isn’t known, it claims.

That’s the verdict of the National Audit Office (NAO), which has just published the results of its own special investigation into the crisis.

The study states that DoH was warned about the risks of cyber attacks on the NHS a year before WannaCry and “although it had work underway” did not formally respond with a written report until July 2017. The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015, for example – but, says NAO, “Before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack.”

In terms of the impact of the attack, NAO says we now know it led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices – but “The Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust. NHS Digital told us that it believes no patient data were compromised or stolen.”

It is known that thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments – but again, months later, we still don’t know precisely how many.

We also don’t know how much the disruption to services cost the NHS. Costs included cancelled appointments, says the study, additional IT support provided by NHS local bodies, or IT consultants and the cost of restoring data and systems affected by the attack. National and local NHS staff worked overtime including over the weekend of 13 to 14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May, for example.

The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices.

And NHS Digital informd the body that “all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves”. Specifically, infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.

The NHS has accepted that there are lessons to learn from WannaCry and is taking action, it concludes, noting that NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls.

Commenting on his team’s findings, Amyas Morse, Head of the National Audit Office, notes that, “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

NHS Digital has also responded to the NAO’s report.

“We welcome the outcome of this investigation which highlights some of the challenges we faced during the WannaCry incident and in our role to alert NHS organisations to known cyber security threats and advise them of appropriate steps to take to minimise risks,” said its Head of Security, Dan Taylor.

“It was an international attack on an unprecedented scale that affected organisations across the world. While it did not specifically target the NHS, the impact on our health services was significant.

“The NHS responded admirably to the situation. Doctors, nurses and professionals from all areas pulled together and worked incredibly hard to keep frontline services for patients running and to get everything back to normal as swiftly as possible.

“We learned a lot from WannaCry, and are working closely with our colleagues in other national bodies to continue to listen, learn and offer support and services to frontline organisations.”