National Audit Office Press Releases
Investigation: WannaCry cyber attack and the NHS
On Friday 12 May 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before 12 May.
The National Audit Office investigation focused on the ransomware attack’s impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department and NHS national bodies responded to the attack.
The key findings of the investigation are:
- The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017. The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack.
- The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption. On 12 May, NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware. In total at least 81 out of 236 trusts across England were affected. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices. However, the Department does not know how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust. NHS Digital told us that it believes no patient data were compromised or stolen.
- Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments. Between 12 and 18 May, NHS England collected some information on cancelled appointments, to help it manage the incident, but this did not include all types of appointment. NHS England identified 6,912 appointments had been cancelled, and estimated over 19,000 appointments would have been cancelled in total. Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients.
- The Department, NHS England and the National Crime Agency told us that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS. Costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack. National and local NHS staff worked overtime including over the weekend of 13 to 14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May.
- The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices. Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity. Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands & East NHS region. NHS England believe more organisations were infected in these regions because they were hit early on 12 May before the WannaCry ‘kill switch’ was activated.
- The Department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level. As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications. Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, though NHS Improvement did communicate with trusts’ Chief Executive Officers by telephone. Locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application.
- NHS England initially focused on maintaining emergency care. Since the attack occurred on a Friday it caused minimal disruption to primary care services, which tend to be closed over the weekend. Twenty-two of the 27 infected acute trusts managed to continue treating urgent and emergency patients throughout the weekend. However, five, in London, Essex, Hertfordshire, Hampshire and Cumbria had to divert patients to other Accident and Emergency departments, and a further two needed outside help to continue treating patients. By 16 May only two hospitals were still diverting patients. The recovery was helped by the work of the cyber security researcher that stopped WannaCry spreading.
- NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
- The NHS has accepted that there are lessons to learn from WannaCry and is taking action. NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls.
“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.
Amyas Morse, head of the National Audit Office, 24 April 2018.
Notes for Editors
- NHS Digital is an arms-length body of the Department of Health, and is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care.
- Press notices and reports are available from the date of publication on the NAO website. Hard copies can be obtained by using the relevant links on our website.
- The National Audit Office scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Sir Amyas Morse KCB, is an Officer of the House of Commons and leads the NAO, which employs some 785 people. The C&AG certifies the accounts of all government departments and many other public sector bodies. He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently, effectively, and with economy. Our studies evaluate the value for money of public spending, nationally and locally. Our recommendations and reports on good practice help government improve public services. Our work led to audited savings of £734 million in 2016.
Latest News from
National Audit Office Press Releases
The challenges in implementing digital change21/07/2021 10:25:00
To deliver digital business change effectively, senior government decision makers need to better understand the business, technical and delivery risks associated with digital programmes, a new report by the National Audit Office (NAO) has found.
Local government and net zero in England19/07/2021 11:15:00
The recent (16 July 2021) report from the National Audit Office (NAO) finds that central government has not provided local authorities with clarity about their roles in achieving net zero by 2050, and its approach to funding their net zero work is piecemeal.
Department for Work and Pensions Accounts 2020-2116/07/2021 12:43:00
Fraud and error overpayments in the benefits system rose again in 2020-21 to the highest rate ever recorded.
Efficiency in government15/07/2021 16:15:00
As part of measures to manage spending following the COVID-19 pandemic, government plans to increase its efficiency.
Crossrail – a progress update09/07/2021 11:25:00
Today’s report from the National Audit Office (NAO) finds that the revised schedule and budget agreed for Crossrail in April 2019 was unachievable because the programme was further from being complete than Crossrail Ltd and the programme’s sponsors understood.
Investigation into the British Business Bank’s accreditation of Greensill Capital07/07/2021 11:20:00
A National Audit Office review finds that Greensill Capital (UK) Limited was accredited by the British Business Bank (the Bank) as a lender under the government’s COVID-19 business support schemes using a streamlined version of the Bank’s established accreditation process in response to the policy requirement to provide prompt access to finance for businesses.
School funding in England02/07/2021 11:10:00
A report by the National Audit Office (NAO) has found that while government funding per pupil has remained virtually unchanged since 2014, a new national funding formula has contributed to a shift in the balance of funding from more deprived schools to less deprived schools.
Test and trace in England – progress update25/06/2021 11:25:00
With one of the largest pandemic-related budgets, the NHS Test and Trace Service (NHST&T) has expanded its testing capacity, tracing activities and distribution of rapid tests, but has further to go in reducing the overall time taken for reaching all cases and their contacts, according to the National Audit Office (NAO).