At least 34% of NHS trusts in England were disrupted by the WannaCry cyber attack in May 2017 despite critical alerts from NHS Digital two months earlier urging organisations to patch their systems to prevent such an attack, according to a report from the National Audit Office (NAO).
The report, published on 27 October 2017, says that in addition to these alerts from NHS Digital, the Department of Health (DH) and Cabinet Office wrote to trusts in 2014, instructing them to have “robust plans” to migrate away from old software, such as Windows XP, by April 2015.
However, the NAO reports that, before 12 May 2017, the DH had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance.
In July 2016, under instruction from the health secretary, the National Data Guardian and the Care Quality Commission carried out a review of data security which was published in July 2016 and warned the DH that cyber attacks could lead to patient information being lost or compromised and jeopardise access to critical patient record systems.
The two organisations recommended that all health and care organisations needed to provide evidence that they were taking action to improve cyber-security, including moving off old operating systems.
However the DH did not publish its formal response to the recommendations until after the WannaCry attack in July 2017 and although it had developed a plan before the attack, which included roles and responsibilities of national and local organisations for responding to an attack, it had not tested it at a local level.
According to NHS England, the WannaCry ransomware affected at least 81 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected, including 595 GP practices.
But the report says that the DH and NHS England still do not know the full extent of the disruption.
In response to the cyber attack the NHS and DH are taking action to develop a response plan to set out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the DH.
Dan Taylor, head of security at NHS Digital said NHS Digital had learned a lot from WannaCry and was working closely with colleagues in other national bodies to offer support and services to frontline organisations.
“It was an international attack on an unprecedented scale that affected organisations across the world.
While it did not specifically target the NHS, the impact on our health services was significant and we were part of a multi-agency response to support affected sites and get critical systems back on line,” he said.