WannaCry was the largest cyber attack to affect the NHS and it led to disruption in at least 34% of trusts in England, the auditor said. It added that the DH and NHS England still do not know the full extent of the disruption because they do not know how many NHS organisations could not access records or receive information because they shared data or systems with an infected trust.
Between 12 and 18 May 2017, 6,912 appointments had been cancelled and NHS England estimated that more than 19,000 appointments would have been cancelled in total as a result of the attack.
However, neither the DH nor NHS England know how many GP appointments were cancelled or how many ambulances and patients were diverted from the five A&E departments that were unable to treat some patients, the report said.
All of the organisations infected with WannaCry had unpatched or unsupported Windows operating systems that were susceptible to the ransomware, the report added.
Cyber attack risk
The NAO said that the DH was warned about the risks of cyber attacks on the NHS a year before WannaCry.
The DH and Cabinet Office had written to trusts in 2014, saying it was essential they had ‘robust plans’ to migrate away from old software, such as Windows XP, by April 2015. NHS Digital had also issued critical alerts warning organisations to patch their systems to prevent WannaCry in March and April 2017.
‘However, [before the attack] there was no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance,’ the NAO report said. ‘Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed.’
The NAO said that the DH and NHS national bodies were taking steps to improve cyber security in the health service, including developing a response plan for how the NHS would cope with a future cyber attack and ensuring all organisations implement critical CareCERT alerts from NHS Digital, which relate to IT security.