NAO report on WannaCry Ransomware Attack on the NHS

Written by Talal Rajab, Head of Cyber and National Security at techUK

On Friday, 27 October, the National Audit Office (NAO) published a report on the “WannaCry” ransomware attack that hit the NHS earlier this year. The ransomware, which also affected a wide variety of businesses around the world, led to disruption in at least 34% of Trusts in England, with 37 infected and locked out of devices and 44 more disrupted either due to precautions or related systems. Responding to the attack were a number of organisations including NHS EnglandNHS DigitalNHS Improvement, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The report outlines the effects on health services (restricted to England and discounting WannaCry’s effects on other sectors) and outlines some of the lessons learned from the attack.

The findings of the report highlight failings throughout the UK health services and detail a lack of preparedness, awareness and resilience. Some key failings listed by the NAO include:

  • The Department of Health and NHS Digital had developed a response plan and warned local Trusts of the importance of migrating away from old, unsupported software such as Windows XP. However, the Department “had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack”.
  • The NHS had not rehearsed the incident response plan, so it was unclear who would lead the response, leading to a breakdown of communication. Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems, forcing local NHS staff to communicate through personal mobile devices and encrypted applications such as WhatsApp.
  • All organisations infected by WannaCry shared the same vulnerability, which could have been prevented by taking simple precautions such as patching unpatched software and not using unsupported operating systems that were more susceptible to the ransomware. NHS Digital also stated that whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
  • The NHS is taking action to ensure similar attacks do not have the same effect. NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls

It is important to recognise that the NHS was not the only organistion that severely suffered from the ransomware attack.  It was a security breach on a scale that had not been witnessed before and the lack of preparation at a local level was worrying. It is therefore clear that the WannaCry attack was a wake up call for all organisations of all sizes, not just the NHS. However, the lack of preparation at a local level was worrying and it is clear that the WannaCry attack was a wake up call for all organisations, of all sizes.

techUK, through its Cyber in Healthcare working group, will be taking a closer look at the cyber challenges facing the NHS over the next year and looks forward to working with members and NHS Digital to ensure that the NHS is resilient to cyber threats.

Comments are closed.