Security operations lead for data security at NHS Digital said that the organisation “got it wrong” when communicating the details of the WannaCry cyber attack earlier this year.
The WannaCry attack, on 12 May, affected many NHS organisations in England, many of whom were unable to access their IT systems, and some completely shut down their IT systems as a precautionary measure.
Speaking on a panel at the UK Health Show on 27 September 2017, Chris Flynn said four hours had passed after receiving the first reports of the attack before NHS Digital issued a statement. As a result, a number of local organisations unnecessarily shut down vital communication connections meaning that they did not receive important information about what to do next.
“We did not communicate as well as we could have done and some of the methods used by trusts to protect themselves as a result didn’t help,” said Flynn.
“Over the course of the weekend, we issued around 12 pieces of information but there were pockets of the population who did not receive any of it because they had drawn up a drawbridge.
“We needed to get ahead of the curve but there was a vacuum of information for [a number of] hours,” he added.
Also on the panel were Tracey Scotter, former director of ICT and Andy Vernon, current director of ICT from Sheffield Teaching Hospitals NHS Foundation Trust. Scotter explained that one of the key barriers during the attack was not having a thorough understanding of the IT landscape and that a key learning was that organisations educate themselves now, so that they are prepared.
“It was a bit like operating in a void, we were under intense pressure to answer lots of questions — we got answers from the BBC website in the end.
“You can never do enough prep but doing as much as you can is important,” she added.
Vernon, however, said that instead of being critical it was important that organisations learnt from these events and built good working relationships.
“We just need to move forward to get to a position where we learn how to collaborate and share information,” he said.
“We are one system trying to defend ourselves against quite a difficult set of threats so we need to find ways to share information and expertise.”
He added that it was also necessary to find channels of communication independent of the core networks to ensure that NHS colleagues could still contact one another in the event of an attack.
Flynn said that the cyber attack had put cyber security on the national agenda at a senior level but emphasised that it was everyone’s responsibility. “Not taking corporate devices and connecting to an insecure network — this is one thing people do without thinking.
“We need to make sure that people are fundamentally aware of cyber security,” he said.
It is believed that some 16 NHS organisations were affected by the cyber attack including pharmacies.