Cyber attack hit more than a third of trusts

27 October 2017

Login to access this content

Reporting on its investigation into the Wannacry ransomware attack on 12 May, the auditors said that 34% of trusts were affected, though the Department of Health and NHS England did not know the full extent of the disruption.amyas-morse1

NHS England estimated that around 19,000 appointments were cancelled. Ransomware typically encrypts the files a computer and demand a payment for their release. As well as 81 of the 236 trusts, computer systems in a further 603 primary care and other NHS organisations were infected. This included 595 GP practices. ‘Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients,’ the NAO added.

It said the Department had taken steps, with the Cabinet Office, asking trusts to move away from old, vulnerable software, such as Windows XP, by April 2015. And in the two months immediately preceding the attack, NHS Digital warned organisations to patch their systems to prevent Wannacry. Unsupported and unpatched Windows systems were vulnerable, but, even if they had not been patched, better management of internet-facing firewalls would have prevented against infection, the NAO report said.

However, before 12 May, the Department has no formal mechanism for assessing whether local organisations had complied and were prepared for an attack.

A response plan had been developed for the wake of a cyber attack, but the Department had not tested it with NHS organisations

While no NHS organisation paid a ransom for the release of their files, the Department did not know how much the disruption, additional IT support and the restoration of systems and data had cost the NHS.

Amyas Morse (pictured), head of the NAO, said: ‘The Wannacry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than Wannacry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.’

NHS Providers’ development and operations director Ben Clacy said capital funding was needed to deal with cyber threats. “This incident was a powerful reminder that we need significant capital investment to ensure we can deal with the threat of cyber crime in the future,’ he said.

‘The NHS is taking steps at national and local level to prepare for the next attack. Part of this is to ensure that trusts apply software patches and keep anti-virus software up to date. And there are lessons too around communication, both within the NHS and with the wider public.’