NAO calls on NHS to ‘get its act together’ after WannaCry attack

A National Audit Office (NAO) report has criticised the NHS for not being well-enough prepared for the WannaCry cyber attack.

The report found that the Department of Health (DoH) had a plan in place for responding to an attack, but the plan had not been tested. As a result, there were clear communication problems and confusion among local organisations when the WannaCry ransomware attack took place.  

“The department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level,” the report said. “This meant the NHS was not clear what actions it should take when affected by WannaCry.

“As the NHS had not rehearsed for a national cyber attack, it was not immediately clear who should lead the response and there were problems with communications.

“In the absence of clear guidelines on responding to a national cyber attack, local organisations reported the attack to different organisations within and outside the health sector, including local police.”

Earlier this year, NHS Digital’s head of security, Dan Taylor, told Computer Weekly that one of the biggest lessons learned from the incident was communication, and that NHS Digital had “messed up” when it came to sending out information to NHS organisations. “We didn’t send an intelligence bulletin until one minute to five on the Friday – three hours too late,” he said. 

Public Accounts Committee chair Meg Hillier said the NHS could easily have “fended off this attack”.

She added: “The DoH failed to agree a plan with the NHS locally for dealing with cyber attacks, so the NHS response came too late in the day. The NHS and the department need to get serious about cyber security or the next incident could be far worse.”

According to the NAO report, the attack in May, which saw trusts unable to access records, receive information or use IT systems, led to thousands of appointments and operations being cancelled.

The WannaCry attack was not specifically targeted at the NHS, but health organisations in England were hit hard, including 81 trusts and 603 primary care organisations.  

A total of 37 trusts, 27 of them acute trusts, were infected and locked out of devices, while 44 were not infected but had their activities disrupted, such as having to shut down email or systems as a precaution due to not having received advice on what to do.

A further 21 trusts were “attempting to contact the WannaCry domain, but were not locked out of their devices”, the report said.

The report criticised the NHS for what it said was essentially a preventable attack, had local NHS organisations had the right cyber security protocols in place.

“NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves,” said the NAO. “Infected organisations had unpatched or unsupported Windows operating systems, so were susceptible to the ransomware.

“However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded them against infection.”

The report added that if it hadn’t been for a cyber researcher activating a kill switch that stopped WannaCry from locking devices, the attack could have been much worse. Activating the kill switch meant that some organisations that were infected by the WannaCry ransomware were not locked out of their systems and devices due to the actions of the researcher.

NAO head Amyas Morse said the attack had “potentially serious implications” for the health service.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” he said. “There are more sophisticated cyber threats out there than WannaCry, so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Following the attack, NHS national bodies and the DoH have identified a series of lessons learned, including making sure local organisations take cyber threats seriously and ensuring there are proper communication channels during a cyber incident.