A National Audit Office report has revealed that simple measures could have been taken to protect the NHS from the global cyber-attack in May.
The National Audit Office released a detailed report following its investigation into the 12 May WannaCry event, which was the largest cyber-attack to affect the NHS.
The investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department of Health and NHS national bodies responded to the attack.
Amyas Morse, head of the National Audit Office, said it was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Meg Hillier MP, chair of the Committee of Public Accounts agreed, saying the NHS could have fended off the attack if it had taken simple steps to protect its computers and medical equipment.
“Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled”, Hillier said.
“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber-attacks so the NHS response came too late in the day.”
The ransomware attack hit the NHS in early May, encrypting data on infected computers and demanding a ransom payment to allow users access.
The key findings of the investigation revealed that the Department was warned about the risks of cyber-attacks on the NHS one year before WannaCry and although it had work underway, it did not formally respond with a written report until July 2017.
“The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015”, the report stated.
“In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.”
“However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber-attack.”
A total of 45 NHS organisations were originally identified as being infected by the attack, however the investigation revealed that a total of at least 81 out of 236 trusts across England were affected.
“A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices.”
The Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust, the report said.
NHS Digital told the Audit office that it believes no patient data were compromised or stolen.
Digital Health News had reported the disruption costs could have exceeded the millions, however the Department confirmed to the Audit office that it does not know how much exactly disruption to services cost the NHS.
“The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom.”
“Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.”
“National and local NHS staff worked overtime including over the weekend of 13 to 14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May.”
WannaCry affected more than 200,000 computers in at least 100 countries. In the UK, the attack led to disruption in at least 34% of trusts in England although the Department and NHS England can’t confirm the full extent of the attack.
Poor communication was another key player in the overall handling of the attack.
Digital Health News recently reported that NHS Digital’s admitted its response to WannaCry was “let down” by poor communications to healthcare organisations.
The Audit office’s investigation confirmed that as the NHS had not rehearsed for a national cyber-attack, it was not immediately clear who should lead the response.
“Communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, although NHS Improvement did communicate with trusts’ chief executive officers by telephone”, the report stated.
“Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application. Although not an official communication channel, national bodies and trusts told us it worked well during the incident.”
The NHS has accepted that there are lessons to learn from Wannacry and taking action, the report revealed.
“NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.”
“All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.”
Since WannaCry, NHS England and NHS Improvement have written to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls.
Lessons identified by the Department and NHS national bodies include the need to:
• Develop a response plan setting out what the NHS should do in the event of a cyber-attack and establish the roles and responsibilities of local and national NHS bodies and the Department;
• Ensure organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), including applying software patches and keeping anti-virus software up to date;
• Ensure essential communications are getting through during an attack when systems are down; and
• Ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise impacts on patient care
31 October 2017 @ 14:39
Working in NHS recruitment and then in patient facing roles, there is one thing that is constant IT in the NHS is undervalued, under invested and not respected by the people who make the decisions. This then means people like me have to work in an office of 5 people to 3 PC’s,
In my new project (back to recruitment with a private company not NHSP) to change this you would think that NHS would be welcoming help with open arms. But alas no the onsite teams are under staffed and under funded waiting 3 days for IT to get to the ticket to sort our issues (not the IT teams fault but that of the trust CEO and recruitment process). Even for Matthew Swindells big speeches and pushing for a better digital NHS IT system on the front lines facing patients we rarely see the benefits of IT programmes that are funded and green lighted.
In healthcare we need to start treating IT and all its different disciplines with the respect they deserve, just as we do with clinical. Then with the same energy put into the IT infrastructure as clinical staff on the front lines, then we can do our jobs and I wont be waiting for 4 hours with a patient waiting for a private ambulance to take them home.
30 October 2017 @ 10:40
All I can hear is: you know nothing, Jon Snow.
27 October 2017 @ 15:27
Why does NHS Digital not provide an “exemplar” example and create central NHS contracts with best of breed software for the management and recording of patch management and virus/ransomware protection and then make the funds available to local organisations to implement. Local orgs ahead of the game wont benefit, but those with patient focussed boards that are not IT conversant would be supported to make a transition to a safer way of working thus protecting the NHS. Instead they create inefficiency by have hundreds of Trusts doing individual things to a guidebook of changing rules!
27 October 2017 @ 14:20
https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf Well worth reading . A classic government report straight out of the “Delegation of Blame” playbook. No context of years of underinvestment or the Wachter report’s real message “you aren’t spending enough money to do digital properly”. Lots of “NHS Digital said this” and “NHS England did that”, very little, if any, “Front-line CCIO’s and CIO’s said this”. Whitehall, talking to people in Whitehall about Whitehall. Whitehall marking its own homework and getting great marks.
27 October 2017 @ 11:38
“….ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls”
So what about all those N3 CISCO switches unsupported for last two years at least we are still using because HSCN replacement network’s not there yet ? Show me the money!
27 October 2017 @ 11:34
How much did this cost to state the bleedin’ obvious?
27 October 2017 @ 14:36
E-mail ! Dan, you clearly know something, but next to nothing. The wannacry virus had nothing to do with email. There may well be those who do some of the overcharging and bad management that you refer to, but I have never seen anyone overcharge like some of the so called experts I am sure you are referring to. As for “muppets”, is there really a need for name calling. I think your post should just be removed.
27 October 2017 @ 14:51
Blimey, you’re right Dan. What we should really do is give contracts to big national/international companies who know about healthcare IT and get them to provide systems and application software, hosted in their data centres/clouds; companies perhaps like BT, Cerner, iSoft, TPP, IBM etc. That way, we could shut down the local “cottage industries” which currently support IT and we might end up with world-class NHS IT. We’d probably need a “National Programme for NHS IT” to achieve it but that shouldn’t be a problem.
27 October 2017 @ 15:23
Well said Dave.
27 October 2017 @ 16:14
Dan, you clear have no concept of ICT in the health service if you think email is the issue! for one the WanaCry was not delivered via email, as has been well documented in many forums. Despite the NAO report, a lot that was coming out the centre was either old news or available via other channels. But most hospitals aren’t anything like a cottage industries. NHS IT department are managing hundreds of different applications and systems (not just email), many of the systems are not just accessed within the hospital environment. But in addition there are many Clinical systems that are now plugged into the network, which the manufacturer due to clinical accreditations will not let be patched or anti-virus be installed. In addition there is a disconnect between the governments message of Frontline first, get rid of back office services and the drive for digital transformation of the NHS. Yes you could Cloud host services, but just how much would it cost to host 155+ applications, with 400Tb or more of data in say Microsoft Azure? and would that be practicable? as you’d still need the local wiring closets and desktop support. Sorry Dan you are showing your ignorance of the real world.
27 October 2017 @ 10:04
No [redacted], Sherlock.
27 October 2017 @ 14:05
Exactly and I could have predicted who many of them were.
They have a 1990s/2000s approach to IT.
Most had local email servers a la Hilary Clinton.
These muppets need to recognized they are complicit in £billions of inefficiency and waste, worse still the unnecessary suffering and even death of patients.
Most shocking is that this is completely the norm in some places.
Whenever we hear about a disaster those who struggle with it and lose communication are often on local email systems meanwhile the national system remains operational.
Whenever there are delays in recovering from a disaster local email is usually in there somewhere.
When you lift the lid you find an IT department building and hosting servers, charging clincial departments £10K to provision a simple VM, wiring cabinets which look like rats nests, least privileges? Whats that?! The list goes on.
There are too many crazy outdated IT cottage industries in the NHS and they need to be stripped out and real experts brought in.