A National Audit Office report has revealed that simple measures could have been taken to protect the NHS from the global cyber-attack in May.
The National Audit Office released a detailed report following its investigation into the 12 May WannaCry event, which was the largest cyber-attack to affect the NHS.
The investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department of Health and NHS national bodies responded to the attack.
Amyas Morse, head of the National Audit Office, said it was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Meg Hillier MP, chair of the Committee of Public Accounts agreed, saying the NHS could have fended off the attack if it had taken simple steps to protect its computers and medical equipment.
“Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled”, Hillier said.
“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber-attacks so the NHS response came too late in the day.”
The ransomware attack hit the NHS in early May, encrypting data on infected computers and demanding a ransom payment to allow users access.
The key findings of the investigation revealed that the Department was warned about the risks of cyber-attacks on the NHS one year before WannaCry and although it had work underway, it did not formally respond with a written report until July 2017.
“The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015”, the report stated.
“In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.”
“However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber-attack.”
A total of 45 NHS organisations were originally identified as being infected by the attack, however the investigation revealed that a total of at least 81 out of 236 trusts across England were affected.
“A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices.”
The Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust, the report said.
NHS Digital told the Audit office that it believes no patient data were compromised or stolen.
Digital Health News had reported the disruption costs could have exceeded the millions, however the Department confirmed to the Audit office that it does not know how much exactly disruption to services cost the NHS.
“The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom.”
“Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.”
“National and local NHS staff worked overtime including over the weekend of 13 to 14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May.”
WannaCry affected more than 200,000 computers in at least 100 countries. In the UK, the attack led to disruption in at least 34% of trusts in England although the Department and NHS England can’t confirm the full extent of the attack.
Poor communication was another key player in the overall handling of the attack.
Digital Health News recently reported that NHS Digital’s admitted its response to WannaCry was “let down” by poor communications to healthcare organisations.
The Audit office’s investigation confirmed that as the NHS had not rehearsed for a national cyber-attack, it was not immediately clear who should lead the response.
“Communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, although NHS Improvement did communicate with trusts’ chief executive officers by telephone”, the report stated.
“Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application. Although not an official communication channel, national bodies and trusts told us it worked well during the incident.”
The NHS has accepted that there are lessons to learn from Wannacry and taking action, the report revealed.
“NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.”
“All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.”
Since WannaCry, NHS England and NHS Improvement have written to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls.
Lessons identified by the Department and NHS national bodies include the need to:
• Develop a response plan setting out what the NHS should do in the event of a cyber-attack and establish the roles and responsibilities of local and national NHS bodies and the Department;
• Ensure organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), including applying software patches and keeping anti-virus software up to date;
• Ensure essential communications are getting through during an attack when systems are down; and
• Ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise impacts on patient care