National Audit Office report also points to a lack of coordination in response to attack, which the government has concluded was conducted by North Korea
More than one in three NHS trusts across England were impacted by May’s WannaCry cyberattack
An investigation from the National Audit Office has found that NHS bodies across England could have implemented simple measures that would have repelled this year’s WannaCry ransomware attack. The report also finds that, after the attack hit, there were “communication problems” and a lack of certainty as to who should coordinate the NHS’s response.
WannaCry, which the NAO says is “the largest cyberattack to affect the NHS” to date, struck on Friday 12 May. The auditor’s investigation examines the impact of WannaCry, and assesses the actions of the NHS and the Department of Health prior to, during, and in the aftermath of the attack.
The report says that the Department of Health was warned about the dangers of cyberattacks in July 2016 by reports from the Care Quality Commission and the National Data Guardian, which both found that such attacks could compromise patient data, and recommended that all health service bodies needed to take steps to improve their cybersecurity. The NAO report says that, when WannaCry was perpetrated, the DoH was still yet to formally respond to findings of the previous year’s reports.
“Although the department and its arm’s-length bodies had work underway to improve cybersecurity in the NHS, the department did not publish its formal response to the recommendations until July 2017,” the report says.
The NAO also finds that, as of May 2017, the Department of Health “did not know whether local NHS organisations were prepared for a cyberattack”. Trusts were contacted by the department and the Cabinet Office in 2014 and warned of the importance of migrating away from Windows XP, if they had not already done so. In March and April 2017 NHS Digital also issued two “critical alerts” urging organisations to patch their software systems to prevent cyberattacks.
“However, before 12 May 2017, the department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance,” the report says. “Prior to the attack, NHS Digital had conducted an on-site cybersecurity assessment for 88 out of 236 trusts, and none had passed. However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation.”
WannaCry impacted the work of more than one in three – 81 out of 236 – NHS trusts in England, the NAO says. This includes 37 that were infected, causing staff to be locked out of their devices, and a further 41 who decided to shut down email or other digital operations as a precautionary measure. These trusts, “had not received central advice early enough on 12 May to inform their decisions on what to do”, the report says.
Some 19,494 NHS appointments across England – an estimated 1% of the overall total – were cancelled in the week following WannaCry.
During the attack five hospitals – the Royal London Hospital, Broomfield Hospital in Essex, Lister Hospital in Stevenage, West Cumberland Hospital, and Basingstoke Hospital – were forced to divert ambulances to other facilities nearby.
Although no Trust paid the ransom asked for, the disruption caused by the attack will have hurt the NHS financially, the report says, although the DoH does not know to what extent.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice”
Amyas Morse, NAO
Costs include: cancelled appointments; additional IT support provided by local NHS bodies, or IT consultants; or the cost of restoring data and systems affected by the attack,” the NAO adds. “National and local NHS staff worked overtime including over the weekend of 13-14 May to resolve problems, and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May.”
The DoH had, the report says, developed a plan for how national and local NHS organisations should respond to a cyberattack. But the department “had not tested the plan at a local level”, according to the NAO.
“This meant the NHS was not clear what actions it should take when affected by WannaCry,” the report adds.
Moreover, the lack of rehearsal meant that “it was not immediately clear who should lead the response and there were problems with communications”. Following the commencement of the attack on the morning of 12 May, it took until 4pm for the NHS to declare it a “major incident”, and until 6.45pm to establish “a single point of coordination for incident management”.
“In the absence of clear guidelines on responding to a national cyberattack, local organisations reported the attack to different organisations within and outside the health sector, including local police.”
The impact on NHS email – caused both by infection and the preventive shut down of systems – hampered communication during the attack. Many workers overcame this problem by using personal devices and consumer apps, the NAO finds.
“Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application,” the report says. “Although not an official communication channel, national bodies and trusts told us it worked well during this incident.”
Percentage of trusts that were infected, with a further 17.4% impacted by preventive shutdown of digital operations
Channel through which many NHS staff communicated during WannaCry, which “national bodies and trusts said worked well
Time on Friday 12 May at which the NHS established a single point of incident-response management, following the attack’s initial impact that morning, and the declaration of a “major incident” at 4pm
Additional funding awarded by the DoH since May to boost cybersecurity in trauma centres
Number of hospitals that were forced to turn away ambulances during WannaCry
According to the NAO, one of the key “lessons learned” in light of the attack is that all trusts infected by the ransomware “shared the same vulnerability and could have taken relatively simple action to protect themselves”. Each of the 37 trusts that suffered infection “had unpatched or unsupported Windows operating systems”, the report finds, while network security measures could also have been improved in many cases.
“Whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection,” the NAO says.
The report notes that the DoH and the NHS have recognised the need to implement a number of measures to ensure health service bodies are adequately prepared if another major cyberattack hits.
These measures include the development of a clear response plan that sets out what local and national organisations should so. It is understood that such a plan has now been created and will be tested before the end of the year.
Ensuring NHS bodies implement the advice contained in CareCERT email alerts sent out by NHS Digital is another imperative. Since May, NHS England and NHS improvement have written to every trust, clinical commissioning group, and commissioning support unit to try and make sure they have all acted on the 39 CareCERT alerts put out between March and May this year.
The NHS and the DoH also recognise the need to “ensure essential communications are getting through during an attack when systems are down”, the report says, as well as making certain “that organisations, boards, and staff are taking the cyber threat seriously.”
Amyas Morse, head of the National Audit Office, said that WannaCry demonstrates the need for the DoH and the NHS to ensure they are prepared for the bigger and nastier threats that exist.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” he said. “There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Professor Keith McNeil, NHS chief clinical information officer for health and care, said: “As the NAO report makes clear, no harm was caused to patients and there were no incidents of patient data being compromised or stolen. Tried and tested emergency plans were activated quickly and our hard-working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum.”
A Department of Health spokesperson added: “The NHS has robust measures in place to protect against cyberattack. Since May we have taken further action to strengthen resilience, including new, unannounced CQC cyber security inspections, £21m in funding to improve resilience in trauma centres, and enhanced guidance for trusts.”
The government now believes that North Korea was behind the WannaCry attack, security minister Ben Wallace told the BBC’s Today programme.
“We can be as sure as possible,” he said. “I can’t obviously go into the detailed intelligence but it is widely believed in the community and across a number of countries that North Korea [was responsible].”