Services were disrupted at two Brighton-based NHS trusts as a result of the WannaCry computer software virus, the National Audit Office said today (Friday 27 October).
The NAO said that the two trusts were not infected by the bug – and staff were not locked out of computers or equipment – but both were “known to have suffered disruption”.
The trusts were the Brighton and Sussex University Hospitals NHS Trust and the Sussex Community NHS Foundation Trust, which is based at the Brighton General Hospital, in Elm Grove.
The Sussex Community Trust disputed the National Audit Office findings and said that it was raising the matter with the NAO.
In a statement the trust said: “During the WannaCry cyber attack Sussex Community NHS Foundation Trust was not directly affected.
“There was no disruption to services provided and no systems were affected.”
The information relating to the effects on NHS trusts is believed to have been provided by NHS England which in turn relied on information from individual trusts.
Describing the types of disruption, the NAO said: “For example, these trusts shut down their email and other systems as a precaution and on their own initiative as they had not received central advice early enough on (Friday) 12 May to inform their decisions on what to do.
“This meant, for example, that they had to use pen and paper for activities usually performed electronically.”
Some trusts were affected for as long as seven days by the fallout from the cyber attack.
The NAO report said: “On Friday 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries.
“In the UK, the attack particularly affected the NHS, although it was not the specific target.
“At 4pm on 12 May, NHS England declared the cyber attack a major incident and implemented its emergency arrangements to maintain health and patient care.
“On the evening of 12 May a cyber-security researcher activated a kill-switch so that WannaCry stopped locking devices.
“According to NHS England, the WannaCry ransomware affected at least 81 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices or systems as a precaution.
“A further 603 primary care and other NHS organisations were also infected, including 595 GP practices.
“Before the WannaCry attack the Department of Health and its arm’s length bodies had work under way to strengthen cyber-security in the NHS.
“For example, NHS Digital was broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber attacks.
“And NHS England had embedded the 10 Data Security Standards (recommended by the National Data Guardian) in the standard NHS contract for 2017-18 and was providing training to its board and local teams to raise awareness of cyber threats.
“In light of the WannaCry attack, the department announced further plans to strengthen NHS organisations’ cyber-security.”
The report added: “Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.”
And it said that some trusts may not have been directly affected but may not have received or been able to access information as a result of the cyber attack.
No ransom was paid, the report said, but the NAO had not been able to say how much the ransomware attack cost.
The report said that communication was poor and added: “The disruption at trusts not infected by the ransomware was caused by
- the absence of timely central direction, leading to the trusts taking actions on their own initiative to avoid becoming infected, including shutting down devices or isolating devices from their networks to protect themselves from the ransomware or
- trusts not being able to access electronic patient records or receive information, such as test results, because they shared data or systems with an infected trust which had shut down its systems or
- trusts disconnecting from the N3 network, the broadband network connecting all NHS sites in England
“As at 19 May 2017, NHS England had identified 1,220 pieces of diagnostic equipment that had been infected, 1 per cent of all such NHS equipment.
“Although a relatively small proportion of devices, the figure does not include devices disconnected from IT systems to prevent infection.”
No harm was reported to patients although there were problems communicating, for example, the results of urgent scans.
And thousands of appointments were cancelled, possibly as many as 19,000.
The report said: “It is not possible to eliminate all cyber threats but organisations can prevent harm through good cyber-security.
“Such practice includes maintaining up-to-date firewalls and anti-virus software, and applying patches (updates) in a timely manner.
“NHS England’s view is that WannaCry infected some parts of the NHS mainly because organisations had failed to maintain good cyber-security practices.”
One clinician said that updates could be handled better but added that it was not always possible to download updates and apply patches at once because they sometimes had knock-on effects that might affect patient safety.
He also said that old Windows 7 and XP software had still been in use and this was part of the problem with the cyber attack in May.
And the NAO report noted that the firm behind Windows – Microsoft – was no longer supporting XP software with patches to protect against viruses.
It added: “The NHS has accepted that there are lessons to learn from WannaCry and is already taking action.”