The National Audit Office’s (NAO) report into the WannaCry attack that infected services across the NHS has found that its impact was considerably larger than previous reports suggested.
The ransomware attack caused widespread disruption to global IT systems on 12 May, raising serious questions about the preparedness of the NHS to deal with such incidents.
According to the NAO’s recently published report, WannaCry affected at least 81 of the 236 trusts across England, either directly or indirectly.
The NHS had previously suggested that one in five trusts were hit, or 48 in total.
Thirty-seven trusts, of which 27 were acute care trusts, were locked out of devices after being infected with the WannaCry ransomware – leading to the cancellation of thousands of appointments and operations.
In addition to preventing access to computers, the cyber-attack also locked out important medical equipment such as MRI scanners and devices for testing blood and tissue samples.
In total, more than 1,200 pieces of diagnostic equipment were inflected by the ransomware, although further devices were put out of use after being disconnected from IT systems to prevent the infection spreading, the report explained.
Another 44 trusts were affected by the cyber-attack despite not being directly infected themselves. This was either due to trusts taking their own preventative measures to stop equipment becoming affected, or because of the shut-down of IT systems shared with infected sites.
The Department of Health was unable to provide the Audit Office with a figure on the number of organisations that had access to information restricted due to the attack. NHS Digital suggested that hackers were not able to access patient data.
Keith McNeil, NHS England’s chief clinical information officer (CCIO) said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen.”
However, the report indicates that urgent NHS services were hindered during the attack.
Barts Health NHS Trust, Mid Essex Hospital Services NHS Trust, East and North Hertfordshire NHS Trust, Hampshire Hospitals NHS Foundation Trust and North Cumbria University Hospitals NHS Trust were forced to divert emergency ambulances to other hospitals, with some A&E departments also having to send patients elsewhere.
On top of the 81 trusts affected, a total of 603 primary care trusts, including GP surgeries, were infected by the WannaCry ransomware. NHS England put the total number of cancelled appointments at some 19,494, which includes at least 139 patients who had “an urgent referral for potential cancer cancelled”.
NHS England told the Audit Office that “it does not plan to identify the actual number because it is focusing its efforts on responding appropriately to the lessons learned from WannaCry.”
The bulk of the criticism levelled at NHS England and NHS Digital has been centred on the lack of communication between organisations as the attack unfolded in early May.
Reports of NHS services being locked out of systems began coming in around midday, yet the NHS didn’t declare that an attack was taking place until several hours later.
The Audit office’s report concluded that the NHS could have prevented the WannaCry cyber-attack had it followed basic IT security practices, including migrating computer systems to newer software versions and keeping internet-facing firewalls up-to-date.
NHS Digital told Digital Health News that it was now taking steps to stop it falling victim to future attacks, or at least ensure it was better prepared.
Among the key takeaways from the incident, the organisation acknowledged “the need to respond quickly, even if it’s to reassure that we are investigating, rather than to stay silent.”
A spokesperson said it was assessing how the NHS could adopt “multiple channels of communication and not just email”, after it was revealed that WhatsApp became a key communication tool for NHS staff as the ransomware spread.
It also vowed to “[improve] collaboration between sites and between national bodies to distribute messages and receive needs from users.”
NHS England has sharpened its response plans announcing an extra £21 million in funding has been made available to build resilience in critical areas ”along with a host of new and improved measures” to ensure that local organisations take the steps needed to protect themselves against, and respond effectively to, any future attacks.