A National Audit Office’s (NAO) report out today points to a shocking lack of insight and control from the Department of Health, as well as an unwillingness or inability from NHS Trusts to respond to central guidance and support.
The WannaCry ransomware attack back in May was a global event and affected many organisations beyond the NHS. However, the health service found itself having to declare a major incident and implement its emergency arrangements to maintain health and patient care, after 81 out of 236 Trusts were impacted. A further 603 primary care and other NHS organisations were also affected.
WannaCry wasn’t a particularly sophisticated attack and could have been prevented by NHS organisations patching their Windows operating systems, or by managing their Internet-facing firewalls more effectively.
Amyas Morse, head of the National Audit Office, said:
The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.
What went wrong
What’s particularly surprising about the NAO report is that actions had been taken to better prepare the NHS for a cyber attack of this nature - but the Department of Health had been slow to respond to recommendations and there appears to be a significant lack of control around ensuring that the NHS responds to requirements.
For example, the Secretary of State for Health asked the National Data Guardian and the Care Quality Commission to undertake reviews of data security, with reports published in July 2016 that warned the Department of Health that cyber attacks could lead to patient information being lost or compromised.
They recommended that all health and care organisations needed to provide evidence that they were taking action to improve security, including moving off old operating systems. However, the Department did not publish its formal response to the recommendations until July 2017.
Equally, the NAO report highlights that the Department and its arm’s-length bodies did not know whether local NHS organisations were prepared for an attack. Local Trusts and healthcare organisations are responsible for keeping the information they hold secure, but they are overseen by the Department of Health.
The Department and Cabinet Office wrote to trusts in 2014, saying it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. And in March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry.
However, before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance.
Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed. Part of the problem being that NHS Digital cannot mandate a local body to take action even if it has concerns about the vulnerability of an organisation.
Worryingly, even months now after the attack, the Department of Health still does not know how much the disruption to services cost the NHS. These costs include: cancelled appointments; additional IT support provided by local NHS bodies, or IT consultants; or the cost of restoring data and systems affected by the attack.
To add salt to the wound, the Department of Health had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level. As a result, this meant that the NHS was not clear what actions it should take when it was hit with the WannaCry ransomware.
In addition, because the NHS had not rehearsed for a national cyber attack, it was not immediately clear who should lead the response and there were problems with communications. In the absence of clear guidelines on responding to a national cyber attack, local organisations reported the attack to different organisations within and outside the health sector, including local police.
Communication was also difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution.
Following the NAO’s investigation, the NHS has accepted that there are lessons to be learned from WannaCry and it is taking the following actions:
- develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department;
- ensure organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), including applying software patches and keeping anti-virus software up to date;
- ensure essential communications are getting through during an attack when systems are down; and
- ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise impacts on patient care.
It’s a shame that it takes a major incident like WannaCry - which was entirely preventable - to make the government and the NHS think about their ability to respond to cyber attacks. The threat of online attacks isn’t new and it’s quite alarming that response plans are only now being put in place. Equally, we need to think carefully about how effective the NHS is, if the Department of Health and bodies like NHS Digital have little central control or insight. Whilst Trusts will have local needs that they should cater to, the NHS needs to attempt to move in the same direction, together.