NAO publishes report on WannaCry Ransomware Attack on the NHS
On Friday, 27 October, the National Audit Office (NAO) published a report on the “WannaCry” ransomware attack that hit the NHS earlier this year.
The ransomware, which also affected a wide variety of businesses around the world, led to disruption in at least 34% of Trusts in England, with 37 infected and locked out of devices and 44 more disrupted either due to precautions or related systems. Responding to the attack were a number of organisations including NHS England, NHS Digital, NHS Improvement, the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).
The report outlines the effects on health services (restricted to England and discounting WannaCry’s effects on other sectors) and outlines some of the lessons learned from the attack.
The findings of the report highlight failings throughout the UK health services and detail a lack of preparedness, awareness and resilience. Some key failings listed by the NAO include:
- The Department of Health and NHS Digital had developed a response plan and warned local Trusts of the importance of migrating away from old, unsupported software such as Windows XP. However, the Department “had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack”.
- The NHS had not rehearsed the incident response plan, so it was unclear who would lead the response, leading to a breakdown of communication. Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems, forcing local NHS staff to communicate through personal mobile devices and encrypted applications such as WhatsApp.
- All organisations infected by WannaCry shared the same vulnerability, which could have been prevented by taking simple precautions such as patching unpatched software and not using unsupported operating systems that were more susceptible to the ransomware. NHS Digital also stated that whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.
- The NHS is taking action to ensure similar attacks do not have the same effect. NHS England and NHS Improvement have written to every major health body asking boards to ensure that they have implemented all alerts issued by NHS Digital between March and May 2017 and taken essential action taken to secure local firewalls
It is important to recognise that the NHS was not the only organistion that severely suffered from the ransomware attack. It was a security breach on a scale that had not been witnessed before and the lack of preparation at a local level was worrying. It is therefore clear that the WannaCry attack was a wake up call for all organisations of all sizes, not just the NHS. However, the lack of preparation at a local level was worrying and it is clear that the WannaCry attack was a wake up call for all organisations, of all sizes.
techUK, through its Cyber in Healthcare working group, will be taking a closer look at the cyber challenges facing the NHS over the next year and looks forward to working with members and NHS Digital to ensure that the NHS is resilient to cyber threats.
Latest News from
techUK launches "A Vision for Digital Trade" in Brussels21/02/2020 14:25:00
An overview of techUK's "A Vision for Digital Trade" report.
New £65 million pot of funding for 5G projects21/02/2020 09:38:00
Funding open accelerate the use of 5G in creative industries plus rural 5G announcements.
EU launches a bold new European Strategy for Data20/02/2020 16:05:00
Overview of the European Commission's Communication on 'A European Strategy for Data'.
EU launches digital strategy for the next five years20/02/2020 14:25:00
European Commission President, Ursula von der Leyen, has presented today the Communication “Shaping Europe’s Digital Future”, setting out EU’s digital strategy for the next five years.
The Scottish Budget: What Does It Mean for Tech?20/02/2020 10:10:00
For 2020-2021, Scotland increases investment in digital and tech innovation, infrastructure, and skills.
ECSO Cyber Investor Days20/02/2020 09:10:00
The European Cyber Security Organisation (ECSO) and the EIT Digital Accelerator have the pleasure of inviting you to the Brussels edition of the Cyber Investor Days scheduled on 13-14 May 2020 in Belgian capital.
The UK’s Points-Based Immigration System19/02/2020 16:20:00
Julian David, techUK's CEO, comments on the Government's Policy Statement on the UK’s future points-based immigration system and what it means for the tech sector.
European Commission publish AI White Paper19/02/2020 15:25:00
Today in Brussels the European Commission has published its ‘White Paper on Artificial Intelligence- A European approach to excellence and trust’ (with accompanying Liability Report).
Apply for the Artificial Intelligence in Health and Care Award19/02/2020 12:10:00
The £250m NHS Artificial Intelligence Lab, designed to boost artificial intelligence in solving some of the biggest challenges in the NHS, is underway. Within this remit, NHSX, the Accelerated Access Collaborative (AAC), and the National Institute for Health Research (NIHR), are running an AI Award scheme worth £140 million to accelerate the testing and evaluation of the most promising AI technologies.