The content of this website is intended for healthcare professionals only

NHS 'could have prevented' WannaCry ransomware attack

Inspectors say senior officials were warned about cyber attack risk a year earlier

Mark Gould

Friday, 27 October 2017

NHS trusts were left vulnerable to the WannaCry ransomware attack because cyber-security recommendations were not followed, a government report* has said.

More than a third of trusts in England (34%) were disrupted by the WannaCry ransomware attack in May according to the National Audit Office (NAO). At least 6,900 NHS appointments were cancelled as a result of the attack and at least 139 people, potentially with cancer, had urgent referrals cancelled.

NHS England said no patient data had been compromised or stolen and praised the staff response. But Sir Amyas Morse, comptroller and auditor-general of the NAO said in the report that WannaCry was "a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice."

"There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

The malware encrypted data on infected computers and demanded a ransom roughly equivalent to £230 ($300). The NAO report said there was no evidence that any NHS organisation paid the ransom - but the financial cost of the incident remained unknown.

An assessment of 88 out of 236 trusts by NHS Digital before the attack found that none passed the required cyber-security standards.

The report says that the Department of Health was warned about the risks of cyber-attacks on the NHS a year before WannaCry and, although it had work underway, it did not formally respond with a written report until July 2017.

The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.

However, before 12 May 2017, the NAO says, "the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber-attack".

The NAO credits the widely reported work of cyber-security researcher Marcus Hutchins, who accidentally helped to stop the spread of WannaCry. His "kill switch" involved registering a domain name linked to the malware, which deactivated the program's ability to spread automatically.

Between 15 May and mid-September, NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity.

Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands & East NHS region. NHS England believe more organisations were infected in these regions because they were hit early on 12 May before the WannaCry ‘kill switch’ was activated.

The NAO says the Department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level. As the NHS had not rehearsed for a national cyber-attack, it was not immediately clear who should lead the response and there were problems with communications. Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, though NHS Improvement did communicate with trusts’ chief executive officers by telephone. Locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application.

NHS Digital told NAO inspectors that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. "Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection," the report found.

The NAO said the NHS "has accepted that there are lessons to learn" from WannaCry and will now develop a response plan. NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls.

It will also ensure that critical cyber-security updates - such as applying software patches - are carried out by IT staff, the NAO said.

Keith McNeil, chief clinical information officer for health and care at NHS England, said: "As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.

"Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum."

* Investigation: WannaCry cyber attack and the NHS. Report by the Comptroller and Auditor General. National Audit Office, October 2017.

Registered in England and Wales. Reg No. 2530185. c/o Wilmington plc, 5th Floor, 10 Whitechapel High Street, London E1 8QS. Reg No. 30158470