1.On the basis of a report by the Comptroller and Auditor General, we took evidence from the Department of Health and Social Care (the Department), NHS England, NHS Improvement, and NHS Digital about the WannaCry cyber-attack.
2.On Friday 12 May 2017 the global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. In the UK, the attack particularly affected the NHS, although it was not the specific target. At 4pm on 12 May, NHS England declared the cyber-attack a major incident and implemented its emergency arrangements to maintain health and patient care. On the evening of 12 May a cyber-security researcher activated a kill-switch so that WannaCry stopped locking devices.
3.According to NHS England, the WannaCry ransomware affected some 80 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected, including 595 GP practices. The attack led to the NHS cancelling almost 20,000 hospital appointments and operations. However, neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from five accident and emergency departments that were unable to treat some patients.
4.Local organisations such as NHS trusts, NHS foundation trusts, clinical commissioning groups and GP practices are responsible for their own cyber security arrangements, which are overseen and supported by NHS England, NHS Digital, NHS Improvement and the Care Quality Commission. For example: NHS Digital shares alerts about cyber threats, provides a hotline for dealing with incidents, shares best practice and carries out on-site assessments of organisations’ cyber security; and NHS England requires trusts to comply with the data security standards set out in the standard NHS contract for 2017–18.
5.The Department and the Cabinet Office wrote to NHS trusts in 2014, warning them it was essential they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015. A further warning came from the National Data Guardian and Care Quality Commission (CQC) in July 2016 that cyber-attacks could lead to patient information being lost or compromised and jeopardise access to patient record systems. In March and April 2017, just before the WannaCry attack, NHS Digital had issued critical alerts warning NHS organisations to patch their systems, and NHS Digital told us that patching had taken place in more than two-thirds of trusts when the attack occurred.
6.In response to these warnings, the Department told us that at the time of the WannaCry cyber-attack, a major programme of work was underway to improve cyber security across the NHS for the first time. However, local NHS organisations’ responses to the warnings on improving their cyber security since 2014 had been mixed. In 2015, about 18% of NHS systems had used XP; this was down to 4.7% at the time of the WannaCry attack, and according to the Department is now down to 1.8 %. Some NHS organisations still have a lot to do to improve their cyber security including Barts Health NHS Trust, one of the largest NHS trusts affected by WannaCry.
7.The Department and NHS England told us that that they had a lot to learn from the WannaCry attack and that a “whole series of things needed to change”. In February 2018, just a few days before our evidence session, the Department, NHS England and NHS Improvement published a Lessons Learned review which included 22 recommendations to strengthen cyber security in the NHS. However, neither the Department nor NHS England could provide us with details on the costs and timescale for implementing the recommendations and did not expect to have a much clearer plan and timetable for a few weeks or months. We asked the Department and NHS England to provide six-monthly updates on progress with the plan to the National Audit Office, which the Department agreed would be completely appropriate.
8.The Department and its arm’s-length bodies had developed a plan for responding to a cyber-attack, but it had not been tested with local organisations. NHS England therefore initiated its emergency response plan, although not until three hours after the attack had been declared a major incident, which it agreed was too slow. NHS England also told us that, although it considered that its emergency plan had worked well, cyber-attacks were different to other types of major incidents, and NHS organisations needed more specific guidance. In particular when the WannaCry attack began, local bodies did not know who to contact and what actions they should take. Trusts reported the attack to different organisations within and outside the health sector, including local police services. Similarly, communications from national bodies to local organisations and to the public also came from a number of sources, including NHS England, NHS Digital and the National Cyber Security Centre.
9.Some NHS trusts could not access email because they had been infected by WannaCry or had disconnected from the NHS network as a precautionary measure. Therefore front-line NHS staff used WhatsApp and mobile phones to communicate. The Department told us that NHS England’s emergency response team had been able to communicate with each other during the attack, but acknowledged WannaCry showed that a wider network of contacts was required to manage a cyber-attack. NHS England told us that, since the WannaCry attack, it had developed an IT-specific response plan (a cyber handbook) for use in the event of another cyber-attack. This plan requires local organisations to contact NHS Digital’s data security operation centre if they suspected a cyber-attack was underway. They also told us that NHS Digital and the Chief Information Officers of local organisations have created new communication channels, including a text message service allowing NHS Digital to communicate with key personnel across the NHS, such as Chief Information Officers. There were also now local text message services allowing Chief Information Officers and Chief Clinical Information Officers to communicate with each other.
10.Before 12 May 2017, the Department and its national bodies did not know whether every NHS organisation was prepared for a cyber-attack and relied too much on local organisations’ own assessment of their information governance. Since WannaCry, the Department, NHS England and NHS Digital told us that they have improved their understanding of local organisations’ readiness for another cyber-attack. For example, NHS Digital has now assessed cyber security at 200 trusts to identify vulnerabilities, compared to the 88 assessed before WannaCry.
11.Although none of the 200 trusts had passed NHS Digital’s cyber security assessment, the Department and NHS England and NHS Improvement told us that at least they now know which organisations they are most worried about, and have plans to improve cyber security at a number of organisations. The Department and NHS Digital told us that trusts had not passed the test, not because they had not done anything on cyber security, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar. However, some trusts had failed the assessment solely because they had not patched their systems—the main reason the NHS had been vulnerable to WannaCry. NHS England told us that it is also concerned that trusts that were not infected by WannaCry could become complacent over cyber security and not keep on top of their cyber security risks.
12.NHS Digital told us it was a priority for it to understand what cyber security arrangements were in place at a local level so it had the information and could provide targeted advice and support during any future cyber-attack. However, NHS Digital still did not have some of the key information it needed to manage any future national attack on the NHS, such as on the use of anti-virus software and IP addresses, and whether the boards of local organisations’ include cyber security on their risk registers.
1 Report by the Comptroller and Auditor General, , Session 2017–19, HC 414, 27 October 2017
2 , para 1
3 , para 1, 5–6, Figure 1
4 Qq 7–8, 28; , para 3, Figure 4
5 , Summary para 4
6 National Data Guardian for Health and Care, (June 2016), para 2.1.9; Care Quality Commission, (June 2016), pp. 11–12
7 Q 11, , para 2.5
8 Q 4
9 Qq 54, 56
10 Qq 11, 22, 25
11 Qq 65–66
12 Qq 32–38, 61–62; , para 3.3, 3.4
13 Qq 35; , para 3.4–3.5; NHS Providers (), para 6–8
14 Qq 34, 37, 61–62
15 Qq 33, 35–38
16 Qq 35–37; NHS Digital (), section 3.3
17 Qq 40, 54, 63; , para 2.10–2.12
18 Qq 5–6
19 Qq 5–7, 54–56
20 Q 56
21 Qq 50–52
22 Qq 63–64; , para 2.12
18 March 2018