[London, UK] The National Audit Office has urged the NHS and the Department of Health to ‘get their act together’ and strengthen cyber defence capabilities of the health service in England following an investigation into the WannaCry attack, released today.
The 12 May 2017 cyber incident affected more than 200,000 computers in 150 countries around the globe. In England, the biggest impact was felt across the NHS.
NAO findings suggest that services at 81 trusts were disrupted, as some providers had to switch off their systems to prevent any intrusion.
In addition, more than 600 primary care and other NHS organisations were affected, including 595 GP surgeries.
However, the NAO emphasises that NHS England does not know the ‘full extent’ of service disruption, although it is believed that more than 19,000 appointments were cancelled in total.
The total cost of the response to the WannaCry attack has not yet been identified. Earlier this year, BJ-HC reported that emergency measures deployed during the cyber incident cost NHS England and NHS Digital £180,000 from internal budgets.
The NAO investigation indicates that the Department of Health had developed a plan for both national and local organisations and their responsibilities in case of a cyber attack of this scale. But the plan had not been tested at a local level, leading to confusion in terms of taking action during the attack.
In June, BJ-HC reported that Cambridge University Hospitals NHS Foundation Trust’s report on the WannaCry response indicated communications between the provider and NHS England could have been ‘better coordinated’. The trust was not ‘formally notified’ that a major incident had been declared.
The ransomware reportedly spread through the internet, including the N3 network that connects all NHS sites across the country, and not through the NHSmail system.
It is believed that no patient data has been compromised or stolen during the attack and no NHS organisations paid ransom.
“NHS Digital also told us that analysis of the WannaCry ransomware suggested that the cyber attack was not aimed at accessing or stealing data, although it does not know for certain that this is the case,” the NAO added in the report.
Figures indicate that 32 out of the 37 trusts directly infected by the WannaCry malware were located in the North NHS and Midlands and East NHS regions. However, NHS England told NAO it believes these organisations were hit early on by the cyber-attack on 12 May, before the ‘kill-switch’ was activated.
The view from the centre is that the malware succeed in infiltrating systems of NHS trusts because they had simply ‘failed to maintain good cyber-security practices’.
Few trusts experienced problems with medical devices and NHS Digital and NHS England reportedly said support from these vendors was ‘often poor’.
Before the attack, 88 trusts failed to pass the the NHS Digital CareCERT Assure on-site inspection and it is argued NHS organisations ‘had tended to overestimate their readiness’ to deal with a cyber attack.
Amyas Morse, Head of the National Audit Office, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.”
“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Meg Hillier MP, Chair of the Committee of Public Accounts, warned the NHS and the Department of Health need to ‘get serious’ and improve cyber defence capabilities:
“The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.
“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day.”
