The digital arm of the National Health Service (NHS) reports that all healthcare organizations infected by the WannaCry virus, which caused major disruptions in the U.K. medical care system, shared the same vulnerability and could have taken simple actions to protect themselves, according to a new British government report.
An investigation by the National Audit Office into the WannaCry cyber attack and its impact on the NHS found that all NHS organizations infected by WannaCry had unpatched or unsupported Windows operating systems and were susceptible to the ransomware. “However, whether organizations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded their organizations against infection,” the report stated. “NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems. Unsupported devices (those on XP) were in the minority of identified issues. NHS Digital has also confirmed that the ransomware spread via the internet.”
The report, ordered by the House of Commons, examines the NHS’s response to the cyber attack in May and the impact on health services. On May 12, a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. In the United Kingdom, the attack particularly affected the NHS. Later that same day, NHS England declared the cyber attack a major incident and implemented its emergency arrangements to maintain health and patient care, and that evening, a cybersecurity researcher activated a kill-switch so that WannaCry stopped locking devices, according to the report.
The WannaCry ransomware affected at least 81 out of the 236 trusts across England, either because computers were infected by the ransomware or the organizations turned off their devices and systems as a precaution. What’s more, 603 primary care and other NHS organizations were also infected, including 595 GP practices, the report stated.
The government investigation found that the Department of Health was warned about the risks of cyber attacks on the NHS a year before the WannaCry malware attack and specifically warned that cyber attacks could lead to patient information being lost or compromised, which could jeopardize access to critical patient record systems. “They recommended that all health and care organizations needed to provide evidence that they were taking action to improve cybersecurity, including moving off old operating systems. Although the Department and its arm’s-length bodies had work under way to improve cybersecurity in the NHS, the Department did not publish its formal response to the recommendations until July 2017 (a year after the recommendations and a month after WannaCry), the report states.
According to the report, the Department of Health and Cabinet Office warned the NHS as early as 2014 that it was “essential” that they had “robust plans” to migrate away from old software, such as Windows XP, by April 2015.
What’s more, in March and April 2017, the service’s digital arm had issued critical alerts warning organizations to patch their systems to prevent WannaCry. However, before May 12, 2017, the Department of Health had not formal mechanism for assessing whether NHS organizations had complied with its advice and guidance, the report stated. “Prior to the attack, NHS Digital had conducted an on-site cybersecurity assessment for 88 out of 236 trusts, and none had passed. However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organization,” the report stated.
While no NHS organization paid the ransom during the WannaCry cyber attack, the Department of Health does not know the cost of the disruption to services, which could include cancelled appointments, additional IT support provided by local NHS bodies or the cost of restoring data and systems affected by the attack, according to the report.
The government investigators also examined how the NHS responded to the attack, and while the Department of Health had developed a plan, which included roles and responsibilities of national and local organizations for responding to an attack, the plan had not been tested at a local level. “This meant that NHS was not clear what actions it should take when affected by WannaCry,” the report stated. What’s more, as the NHS had not rehearsed for a national cyber attack, it was not immediately clear who should lead the response and there were problems with communications, the investigators found.
“In the absence of clear guidelines on responding to a national cyber attack, local organizations reported the attack to different organizations within and outside the health sector, including local police. Communication was difficult in the early stages of the attack as many local organizations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, although NHS Improvement did communicate with trusts’ chief executive officers by telephone,” the report stated. “Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application. Although not an official communication channel, national bodies and trusts told us it worked well during this incident.”
Lessons identified by the Department and NHS national bodies include the need to:
- develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department
- ensure organizations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action), including applying software patches and keeping anti-virus software up to date
- ensure essential communications are getting through during an attack when systems are down; and;
- ensure that organizations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximize their resilience and minimize impacts on patient care