Technology leader Andy Vernon talks through ransomware assault, while NHS Digital admits it ‘got it wrong’ in relaying information

The WannaCry attack impacted about 40 NHS trusts across the UK, and 250,000 computers worldwide

“We were waiting for something like this to happen,” said Andy Vernon, director of ICT for Sheffield Teaching Hospitals NHS Foundation Trust, on May’s WannaCry cyberattack. “We had done a lot of work on cybersecurity.”

He added: “But, for a lot of our [people], it had been a largely hypothetical problem that IT were banging on about.”

For all the anticipation of such a threat, and all the pre-emptive measures taken to combat it, WannaCry still came as an unpleasant surprise to Vernon – and his peer group.

“It started on Friday afternoon… I was in a meeting with a number of CIOs from other trusts and this was happening in real time around us. People’s phones started going off at 2pm or 3pm, and it disassembled into each of us looking after our own trusts.”

From the earliest indications, Vernon and the other CIOs in the room “kind of knew what was happening”, having long seen an attack like this as an inevitability. 

“But the nature of WannaCry was different to what we had expected,” he said. “We had planned for people clicking links in emails. This was different in its presentation.”
Vernon added: “Our internal response worked – although it is the sort of thing we will not be able to repeat on a routine basis.”

Related content

• Has the NHS sacrificed cybersecurity for convenience?
• WannaCry NHS attack – busting the myths
• NHS ransomware attack one month on: “The people who didn’t patch Windows 7 should be sacked”

But the response of those outside the trust could have been more helpful, according to Vernon.

“Suppliers were varied in their response… we found some of them helpful, but very many of them were not,” he said.

The Sheffield ICT chief also said that NHS Digital could have provided advice and assurance more promptly and – given that many trusts took their email systems offline as a precautionary measure – through more non-traditional means.

“The thing we would want more of [next time something like this happens] is real-time information, and thinking creatively in terms of channels for providing that,” he said. “Lots of people close down their borders to email – we need to be creative about getting information around the system.”

A lesson learned
Chris Flynn, security operations lead at NHS Digital’s Data Security Centre, admitted that the organisation had made mistakes in how it disseminated information during the WannaCry attack.

“We started to hear reports about 12.30pm or 1pm, and we issued our first [communication] at 5pm. So, it took us about four hours to get something out. We wanted it to be right, and accurate, and with details of remediation,” he said. “One of our learnings is that we got that wrong – we need to be ahead of the curve. Even if we do not know precisely what is going on.”

Sheffield Teaching Hospitals NHS Foundation Trust

16,000
Staff members, including a 200-strong IT department

£1bn
Annual revenue

650
Servers in IT estate, as well as 450 switches

12,000
Number of PCs, connecting to 1,560 printers

He added: “Over the course of the weekend we issued about 12 advisories or pieces of information. But there were lots of people that did not receive that, because they had already pulled up their drawbridge.”

Flynn said that the lessons learned during WannaCry were implemented during the following month’s Petya ransomware attack, which affected numerous organisations across North America and Europe.

“With Petya, we acknowledged early. We issued a statement saying we were aware of the problem, and that there no reports of it affecting the NHS or social care,” he said. “When the next WannaCry hits, we will be in a strong position to ensure that we can maintain those communication channels.”

“Lots of people did not receive our information, because they had already pulled up the drawbridge”
Chris Flynn, NHS Digital

The WannaCry attack, which impacted an estimated 250,000 computers in well over 100 countries around the world, was the biggest ransomware assault the world has yet seen. The NHS was the highest-profile, and perhaps the hardest-hit, of all its victims. About 40 trusts were impacted, with some GPs’ surgeries unable to access patient records, and hospitals forced to divert ambulances to other sites.

For Vernon, who was talking alongside Flynn at last week’s UK Health Show in London, it is a matter of when – not if – the NHS suffers an attack of similar scale.

“It is going to continue being an arms race with the bad guys, and there is no room for complacency,” he said. “WannaCry was a more opportunistic thing – a concerted attack on the NHS could be much more destructive. And that is what keeps me awake at night.”