Report into WannaCry cyberattack points to vulnerabilities in UK health system

The National Health Service (NHS) in England left itself vulnerable to hacking because basic security recommendations were not followed and the central plan for responding to a cyber attack had had not been tested a local level.

As a result, organisations were not clear about their roles and responsibilities when the computer virus WannaCry locked users’ files on Friday 12 May.

The impact of the attack was amplified because critical alerts to organisations warning them to migrate away from old software such as Windows XP, and to patch their computer systems to protect against the WannaCry, were not followed by all local organisations.

WannaCry affected more than 200,000 computers in at least 100 countries, encrypting data and demanding a ransom payment to allow users access.

In the UK, the attack particularly affected the NHS, although the health service was not the specific target. Overall, it was the largest hack ever on the NHS in England.

An independent investigation into the attack and its effects on patients carried out by the National Audit Office, found it disrupted at least 81 of 236 hospitals and that 603 primary care and other NHS organisations were infected by WannaCry.

Although no patient data were compromised or stolen, more than 19,000 appointments and operations were cancelled.

In terms of the financial damage, no NHS organisation paid the ransom, but there is no estimate of the cost of disruption to services, or of restoring data and systems affected by the attack.

The report notes that in some respects the NHS was lucky because the hack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill switch’ so that WannaCry stopped locking devices.

Because there had been no rehearsal for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.  Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry, or had shut down their email systems as a precaution.

Locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application.

Shared vulnerabilities

Since the attack occurred on a Friday it caused minimal disruption to primary care services, which in general are closed for the weekend. Twenty-two of the 27 infected hospitals managed to continue treating urgent and emergency patients throughout the weekend but five, in London, Essex, Hertfordshire, Hampshire and Cumbria had to divert patients to other Accident and Emergency departments.

The investigation, published at the end of October, found that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. The infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware.

The Department of Health had written to hospital trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP by April 2015.

Following this, in March and April 2017, the NHS issued critical alerts warning organisations to patch their systems specifically to protect them against to WannaCry.

However, before the attack in May 2017, there was no formal mechanism for the Department of Health to check that local NHS organisations had complied with its guidance.

“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks,” said Amyas Morse, head of the National Audit Office, when his report was published.