view counter

CybersecurityWannaCry report shows NHS chiefs knew of security danger, but management took no action

By Eerke Boiten and David S. Wall

Published 31 October 2017

A report from the parliamentary National Audit Office into the WannaCry ransomware attack that brought down significant parts of Britain’s National Health Service in May 2017 has predictably been reported as blaming NHS trusts and smaller organizations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place. But the central NHS IT organization, NHS Digital, provided security alerts and the correct patches that would have protected vulnerable systems well before WannaCry hit. This is not a cybersecurity failure in the practicalities, but a failure of cybersecurity management at the top level.

A report from the parliamentary National Audit Office into the WannaCry ransomware attack that brought down significant parts of Britain’s National Health Service in May 2017 has predictably been reported as blaming NHS trusts and smaller organizations within the care system for failing to ensure that appropriate computer security measures such as software updates and secure firewalls were in place.

But the central NHS IT organization, NHS Digital, provided security alerts and the correct patches that would have protected vulnerable systems well before WannaCry hit. This is not a cybersecurity failure in the practicalities, but a failure of cybersecurity management at the top level.

Despite the extensive news coverage it received, WannaCry was a major wake-up call for the NHS rather than a downright disaster. It wasn’t a sophisticated attack. But any attack based on an actual zero-day exploit – a software flaw creating a security hole that is not yet known to the manufacturer or has not been made public, and so no defense or patch exists to prevent the attack succeeding - could hit the NHS much harder than WannaCry did.

Given the lessons learned discussed in the NAO report, hopefully the NHS will be better prepared next time. And as there will definitely be a next time, the NHS had better have learned its lessons, because the implications of not doing so could be much greater.

Failing to plan is planning to fail
As it happened, much of the damage caused by WannaCry - including many of the more than 19,000 missed appointments – did not relate directly to the attack. The NAO report makes it clear that the NHS as a whole lacked a proper response to a national cybersecurity incident. The business continuity plan had not been tested against such a serious attack. Although only a relatively small number of NHS organisations were actually infected by WannaCry, other parts of the NHS shut down their systems as a precaution to prevent WannaCry spreading until they were sure what to do. Email systems were switched off without first establishing alternatives, leading to improvisation by telephone and WhatsApp.