NHS Digital’s response to WannaCry was “let down” by poor communications to healthcare organisations about the attack, its security operations lead has admitted.

Chris Flynn was speaking to delegates at the cyber security in healthcare stream of today’s UK Health Show, being held at London’s Olympia.

While he said NHS Digital first started receiving reports about the attack around lunchtime, it did not issue its first initial communication on the subject until almost 5pm.

It follows comments the organisation made a few months ago at the NHS Confederation conference about the need to be “better prepared” for any future attacks.

“It took us about four hours to get a communication out [about WannaCry],” Flynn said. “That’s because we wanted the communication to detail the vulnerability, to detail any mediation we had identified.

“One of our key learnings is we got that wrong. There was that vacuum of information for a few hours.”

That vacuum included, he said, details on what was safe to use despite the attack –which compounded existing challenges around communication.

“We didn’t tell people specifically that NHS Mail was safe. We didn’t say it wasn’t, but we didn’t say it was. And we know that people pulled connections.

“Similarly, around the N3 network. So the N3 network wasn’t affected. It moved across N3, but it would move across any network. And people were pulling connections from N3.

Sheffield Teaching Trust lessons post-WannaCry


“That then massively impacts our ability to communicate. Over the course of the weekend at NHS Digital, I think we issued about 12 advisories or pieces of information, and there were pockets of the population that didn’t receive that because they had pulled the drawbridge up.”

He concluded: “The initial steps that organisations took to secure themselves meant that there were effectively cut adrift from our communications”.

Tracey Scotter, former director of ICT at Sheffield Teaching Hospitals NHS Foundation Trust, reported that the lack of early information from NHS Digital had meant it “was a bit like operating in a void” during the time of the attack.

“We were under intense pressure in the IT team to answer lots of questions: what is WannaCry, what it’s going to do, what’s the next thing coming, all these questions.

“To be honest, we got our answers from the BBC website. It actually was the most informative and the easiest thing for us to access.”

Andy Vernon, current director of ICT at the trust, emphasised the importance of having “real-time accurate information” about attacks.

“What we would really like more of is real-time information and thinking creatively about the channels to providing this… because we are all flying blind at the time.”

While the trust, which accommodates five hospitals and more than two million patients a year, was not directly affected by the May attack, Vernon said they are continuing to refine their technical defences.

Sheffield trust’s IT landscape


“We have learned preparation was essential… even those – such as ourselves – who were not hit directly by the major attack are still affected indirectly as the system become more integrated.”

“As with any major incident, accurate real-time information is vital, but often difficult to source.”

Flynn told delegates NHS Digital had since “put in place processes where we get ahead of the curve” on communications around emerging attacks. He pointed to the Petya ransomware which appeared over the summer but which did not affect the NHS.

“We issued notification within an hour for Petya incidents,” said Flynn. “To say we’re away of this threat, we’ve had no reports of any impacted NHS or social care organisations. So we’ve taken those lessons from WannaCry.”

A total of 48 English trusts and 13 care bodies in Scotland were affected by May’s WannaCry attack, which constitutes a fifth of all NHS organisations.

NHS Digital’s plans for improved cyber-attack communications

  • System-wide ‘Cyber Playbook’ describing the roles and responsibilities of NHS England, NHS Improvement, NHS Digital and Department of Health to ensure major incidents are managed consistently
  • More information needs to be issued earlier in a subsequent major attack (within the first 60 minutes) to avoid unintended outcomes, such as local organisations disconnecting from N3 and NHS Mail
  • Requirement for multiple and known comms channels to support health and care
  • NHS organisations need easy access to guidance from the centre or trusted partners to support local decisions
  • Need for emergency communications mechanism when organisations switch off from the network N3
  • NHS England, NHS Improvement, NHS Digital regional leads need to be engaged and utilised to support implementation of guidance and advisories