National Audit Office publishes report on NHS response to WannaCry cyber-attack

The National Audit Office (“NAO”) has published a report (the “Report”) which investigates the National Health Service’s (“NHS”) response to the global ransomware cyber-attack known as WannaCry and the impact of the attack on the health services.In May 2017 the WannaCry attack significantly disrupted critical infrastructure systems across the world, including the systems underlying the NHS. The incident caused significant disruption to the health sector in the UK and has led to the Department of Health (“DoH”) and NHS issuing data security and protection requirements that will need to be implemented by all health care organisations before April 2018 to mitigate the risks associated with a subsequent attack. The Report sets out facts regarding the impact of the attack on the NHS and its patients, reasons why certain parts of the NHS were affected and how the DoH and the NHS national bodies responded to the attack.

Some of the key findings of the Report are listed below:

• WannaCry is the largest cyber-attack so far to have affected the NHS. While the full extent of the disruption is not known, 34% of trusts in England were affected and thousands of appointments and operations were cancelled.
• DoH had been warned about the NHS’ vulnerability to cyber-attacks in July 2016. Although the DoH had maintenance works under way to address these risks, it did not formally implement them until July 2017 and was not aware of the local NHS organisations’ level of preparedness to deal with such an attack.
• While no NHS organisation paid ransom in response to the ransomware demands, the cost of disruption to services suffered by the NHS is not known.
• Although the DoH had a plan in place to respond to an attack, the plan had not been tested at a local level, which led to a significant delay in response time when the attack occurred.
• All organisations affected by WannaCry shared the same vulnerability and could have protected themselves. While IT security alerts that had been issued by NHS Digital between March and May 2017, these had not been implemented across several organisations, thereby leaving them vulnerable to attack. At the time of the attack, many organisations were therefore working on unsupported Windows operating systems or systems that had not been updated and firewalls that had also not been updated.

For the full report on the investigation into the WannaCry cyber-attack and the NHS click here.