Public Services > Healthcare

NAO highlights DH's lack of answers on extent of WannaCry cyber attack

David Bicknell Published 27 October 2017

Watchdog highlights NHS lack of readiness for WannaCry; DH struggles to provide answers to several questions on disruption, costs and cancellations


A typically forensic investigation by the National Audit Office (NAO) into the WannaCry cyber attack that affected the NHS in England in May has highlighted how NHS management organisations still seem to be unable to get access to key information about the extent of the attack.

The report details that the Department of Health had developed a plan for responding to a cyber attack, which included roles and responsibilities of national and local organisations, but had not tested the plan at a local level.

The NAO’s report, ‘Investigation: WannaCry cyber attack and the NHS’ , examines the NHS’s response to the cyber attack that affected it in May 2017 and the impact on health services.

It discusses the attack on  Friday 12 May 2017 of the WannaCry virus, which encrypted data on infected computers and demanded a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before May 12.

The NAO investigation focused on the ransomware attack's impact on the NHS and its patients; why some parts of the NHS were affected; and how the Department of Health and NHS national bodies responded to the attack.

A consequent theme in its findings is that the Department of Health ‘does not know’ the answers to many of the questions the NAO asked.

The NAO’s key findings are:               

  • The Department of Health was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017. 

The Department and Cabinet Office had written to trusts in 2014, saying it was essential they had "robust plans" to migrate away from old software, such as Windows XP by April 2015. Earlier this year, in March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before May 12, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyber attack.

  • The attack led to disruption in at least 34% of trusts in England although the Department of Health and NHS England do not know the full extent of the disruption. On May 12, NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware.

In total at least 81 out of 236 trusts across England were affected. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices. However, the NAO said, the Department of Health “does not know” how many NHS organisations could not access records or receive information, because they shared data or systems with an infected trust.” NHS Digital told the NAO that it believes no patient data were compromised or stolen.

  • Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.

Between May 12 and May 18, the NAO said, NHS England collected some information on cancelled appointments, to help it manage the incident, but this did not include all types of appointment. NHS England identified 6,912 appointments had been cancelled, and estimated over 19,000 appointments would have been cancelled in total. “Neither the Department nor NHS England know how many GP appointments were cancelled, or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients,” the NAO said.

  • The Department of Health, NHS England and the National Crime Agency told the NAO that no NHS organisation paid the ransom, but the Department of Health “does not know” how much the disruption to services cost the NHS. 

The costs included cancelled appointments; additional IT support provided by NHS local bodies, or IT consultants; or the cost of restoring data and systems affected by the attack. National and local NHS staff worked overtime including over the weekend of 13 to 14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday May 15.

  • The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a 'kill switch' so that WannaCry stopped locking devices.

Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations, including 21 trusts, as contacting the WannaCry domain, though some of these may have been contacting the domain as part of their cyber security activity. Of the 37 trusts infected and locked out of devices, 32 were located in the North NHS Region and the Midlands & East NHS region. NHS England believes more organisations were infected in these regions because they were hit early on 12 May before the WannaCry 'kill switch' was activated.

  • The Department of Health had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level. 

As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications.  Many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, though NHS Improvement did communicate with trusts' chief executives by phone. Locally NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application.

  • NHS England initially focused on maintaining emergency care. 

Since the attack occurred on a Friday it caused minimal disruption to primary care services, which tend to be closed over the weekend. Twenty-two of the 27 infected acute trusts managed to continue treating urgent and emergency patients throughout the weekend. However, five, in London, Essex, Hertfordshire, Hampshire and Cumbria had to divert patients to other Accident and Emergency departments, and a further two needed outside help to continue treating patients. By 16 May only two hospitals were still diverting patients. The recovery was helped by the work of the cyber security researcher that stopped WannaCry spreading.

  • NHS Digital told the NAO that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves.

Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection

The NAO said the NHS has accepted that there are lessons to learn from WannaCry and is already taking action to improve the protection of services from future cyber attacks.

These include the need to:

  • develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department;
  • ensure organisations implement critical CareCERT alerts, including applying software patches and keeping anti-virus software up to date and identifying;
  • ensure essential communications are getting through during an incident when systems are down; and
  • ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise the impact on patient care.

Following the WannaCry attack, the NAO said, NHS England and NHS Improvement wrote to every trust, clinical commissioning group and commissioning support unit asking boards to ensure that they had implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and had taken essential action to secure local firewalls.

Amyas Morse, head of the NAO said, “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”



We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.