Report: “Simple Actions” Could Have Protected NHS from WannaCry | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: “Simple Actions” Could Have Protected NHS from WannaCry

October 31, 2017
by Heather Landi
| Reprints
Click To View Gallery

The digital arm of the National Health Service (NHS) reports that all healthcare organizations infected by the WannaCry virus, which caused major disruptions in the U.K. medical care system, shared the same vulnerability and could have taken simple actions to protect themselves, according to a new British government report.

An investigation by the National Audit Office into the WannaCry cyber attack and its impact on the NHS found that all NHS organizations infected by WannaCry had unpatched or unsupported Windows operating systems and were susceptible to the ransomware. “However, whether organizations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded their organizations against infection,” the report stated. “NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems. Unsupported devices (those on XP) were in the minority of identified issues. NHS Digital has also confirmed that the ransomware spread via the internet.”

The report, ordered by the House of Commons, examines the NHS’s response to the cyber attack in May and the impact on health services. On May 12, a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. In the United Kingdom, the attack particularly affected the NHS. Later that same day, NHS England declared the cyber attack a major incident and implemented its emergency arrangements to maintain health and patient care, and that evening, a cybersecurity researcher activated a kill-switch so that WannaCry stopped locking devices, according to the report.

The WannaCry ransomware affected at least 81 out of the 236 trusts across England, either because computers were infected by the ransomware or the organizations turned off their devices and systems as a precaution. What’s more, 603 primary care and other NHS organizations were also infected, including 595 GP practices, the report stated.

The government investigation found that the Department of Health was warned about the risks of cyber attacks on the NHS a year before the WannaCry malware attack and specifically warned that cyber attacks could lead to patient information being lost or compromised, which could jeopardize access to critical patient record systems. “They recommended that all health and care organizations needed to provide evidence that they were taking action to improve cybersecurity, including moving off old operating systems. Although the Department and its arm’s-length bodies had work under way to improve cybersecurity in the NHS, the Department did not publish its formal response to the recommendations until July 2017 (a year after the recommendations and a month after WannaCry), the report states.

According to the report, the Department of Health and Cabinet Office warned the NHS as early as 2014 that it was “essential” that they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015.

What’s more, in March and April 2017, the service’s digital arm had issued critical alerts warning organizations to patch their systems to prevent WannaCry. However, before May 12, 2017, the Department of Health had not formal mechanism for assessing whether NHS organizations had complied with its advice and guidance, the report stated. “Prior to the attack, NHS Digital had conducted an on-site cybersecurity assessment for 88 out of 236 trusts, and none had passed. However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organization,” the report stated.

While no NHS organization paid the ransom during the WannaCry cyber attack, the Department of Health does not know the cost of the disruption to services, which could include cancelled appointments, additional IT support provided by local NHS bodies or the cost of restoring data and systems affected by the attack, according to the report.

The government investigators also examined how the NHS responded to the attack, and while the Department of Health had developed a plan, which included roles and responsibilities of national and local organizations for responding to an attack, the plan had not been tested at a local level. “This meant that NHS was not clear what actions it should take when affected by WannaCry,” the report stated. What’s more, as the NHS had not rehearsed for a national cyber attack, it was not immediately clear who should lead the response and there were problems with communications, the investigators found.

“In the absence of clear guidelines on responding to a national cyber attack, local organizations reported the attack to different organizations within and outside the health sector, including local police. Communication was difficult in the early stages of the attack as many local organizations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, although NHS Improvement did communicate with trusts’ chief executive officers by telephone,” the report stated. “Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application. Although not an official communication channel, national bodies and trusts told us it worked well during this incident.”

Lessons identified by the Department and NHS national bodies include the need to:

  • develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department
  • ensure organizations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), including applying software patches and keeping anti-virus software up to date
  • ensure essential communications are getting through during an attack when systems are down; and;
  • ensure that organizations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximize their resilience and minimize impacts on patient care


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.