National Audit Office NAO

1 Insufficient powers of coordinator
Remedial actions not mandated

Local healthcare organisations such as trusts and clinical commissioning groups are responsible for keeping the information they hold secure, and for having arrangements in place to respond to an incident or emergency, including a cyber attack. Local healthcare bodies are overseen by the Department and its arm’s-length bodies. The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance. Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed. However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation (paragraphs 2.5, 2.7, 2.10 to 2.12 and 3.2, and Figure 4).

2 Basic IT security measures not applied

Failure to patch and update systems and reliance on old software

2.3 It is not possible to eliminate all cyber threats but organisations can prevent harm through good cyber-security. Such practice includes maintaining up-to-date firewalls and anti-virus software, and applying patches (updates) in a timely manner. NHS England’s view is that WannaCry infected some parts of the NHS mainly because organisations had failed to maintain good cyber-security practices.

2.4 NHS Digital told us that all the infected trusts had a common vulnerability in their Windows operating systems which was exploited by the WannaCry attack. All NHS organisations infected by WannaCry had unpatched, or unsupported, Windows operating systems. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded the organisations against infection.

3 Action plan for cyber attack not tested nor refined
Response to the attack delayed and less effective

3.3 Before the WannaCry attack the Department had developed a plan for responding to a cyber attack, which included roles and responsibilities of national and local organisations. However, the Department had not tested the plan at a local level. This meant the NHS was not clear what actions it should take when affected by WannaCry, including how it should respond at a local level. On 12 May 2017, NHS England determined that it should declare a national major incident and decided that it would lead the response, coordinating with NHS Digital and NHS Improvement. NHS England treated the attack as a major operational incident through its existing Emergency Preparedness, Resilience and Response (EPRR) processes. However, as NHS England had not rehearsed its response to a cyber attack it faced a number of challenges. The cyber attack was less visible than other types of incident and not confined to local areas or regions in the way a major transport accident would have been, for example. This meant that it took more time to determine the cause of the problem, the scale of the problem and the number of people and organisations affected.

3.4 Without clear guidelines on responding to a national cyber attack, organisations reported the attack to different sources including the local police, NHS England and NHS Digital. For the same reason communications to patients and local organisations also came from a number of sources. These included the National Cyber Security Centre, which was providing support to all UK organisations affected by the attack, NHS England and NHS Digital. In addition, the use of email for communication was limited, although NHS Improvement did communicate with trusts’ chief executive officers by telephone. Affected trusts shut down IT systems, including some trusts disconnecting from NHS email and the N3 network as a precautionary measure. 6 The Department coordinated the response with the centre of government, briefing ministers, liaising with the National Cyber Security Centre and National Crime Agency, and overseeing NHS England’s and NHS Digital’s operational response.

Background

On Friday 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. In the UK, the attack particularly affected the NHS, although it was not the specific target. At 4 pm on 12 May, NHS England declared the cyber attack a major incident and implemented its emergency arrangements to maintain health and patient care. On the evening of 12 May a cyber-security researcher activated a kill-switch so that WannaCry stopped locking devices.

According to NHS England, the WannaCry ransomware affected at least 80 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected, including 595 GP practices.

Objectives

Our investigation focuses on events immediately before 12 May 2017 and up until 30 September 2017. We only cover the effect the WannaCry attack had on the NHS in England. We do not cover how the WannaCry attack affected other countries or organisations outside the NHS. A cyber attack on either the health or social care sectors could cause disruption across the whole health and social care sector. For example, the Care Quality Commission (CQC) told us that, as some trusts were unable to communicate with social services, there could have been delays in the discharge of patients from hospital to social care, although the CQC relayed advice from NHS Digital and NHS England to social care providers to help manage any disruption. This investigation sets out the facts about:

the ransomware attack’s impact on the NHS and its patients;

why some parts of the NHS were affected; and

how the Department and NHS national bodies responded to the attack.

The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).