NHS WannaCry ransomware attack’s the Investigation
On Friday 12 May 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide.
WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before 12 May.
The National Audit Office investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department and NHS national bodies responded to the attack.
The key findings of the investigation are:
The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017.
The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption.
Thousands of appointments and operations were canceled and in five areas patients had to travel further to accident and emergency departments.
The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS.
The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices.
The Department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level.
NHS England initially focused on maintaining emergency care.
NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.
Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
There are more sophisticated cyber threats out there than WannaCry
so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Amyas Morse, head of the National Audit Office, 27 October 2017
December 20, 2017
December 4, 2017