NHS told to 'get serious' as full impact of cyberattack revealed

The National Audit Office investigation into 12 May’s ransomware attack, published today, was also critical of the Department of Health and NHS England for not testing plans for a major cyberattack – despite warnings a year earlier that an attack was likely.

The NAO report said: “As the NHS had not rehearsed for a national cyberattack it was not immediately clear who should lead the response and there were problems with communications.”

Commons public accounts committee chair, Labour MP Meg Hillier, said: “The DH failed to agree a plan with the NHS locally for dealing with cyberattacks so the NHS response came too late in the day. The NHS and the department need to get serious about cybersecurity or the next incident could be far worse.”

The NAO investigation revealed for the first time that at least 139 urgent cancer referrals were cancelled in the space of six days after the attack, however the actual number could be higher.

In addition, at least 1,220 pieces of diagnostic equipment were infected, preventing basic clinical tasks such as MRI scans and blood tests.

Despite these disruptions, the NAO said NHS organisations had not reported any harm to patients resulting from the attack.

Despite the NAO saying NHS England had not rehearsed for a major cyberattack, chief clinical information officer Keith McNeil said emergency plans were “tried and tested” and “activated quickly”.

“Our hard working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum,” Dr McNeil told HSJ.

Macmillan Cancer Support policy director Moira Fraser said: “A secure, efficient IT infrastructure is clearly a vital aspect of timely cancer care. The NHS must take steps to ensure people’s cancer treatment is not affected by future cyberattacks. Cancer patients should not be subjected to avoidable delays due to IT.”

NHS Providers’ development and operations director, Ben Clacy, added the NHS was taking national and local steps to prepare for the next attack, but more capital investment was needed.

He said: “This incident was a powerful reminder that we need significant capital investment to ensure we can deal with the threat of cybercrime in the future.”

The DH announced new cyber security requirements for NHS organisations in July, two months after the attack, including £21m to improve cyber resilience for major trauma centres.

NHS England has also been making the case for additional capital for cybersecurity in the autumn budget.

Trusts infected by WannaCry ransomware

• Barts Health Trust
• Birmingham Community Foundation Trust
• Blackpool Teaching Hospitals FT
• Bradford District Care FT
• Bridgewater Community Healthcare FT
• Central Manchester University Hospitals FT
• Colchester Hospital University FT
• Cumbria Partnership FT
• East and North Hertfordshire Trust
• East Cheshire Trust
• East Lancashire Teaching Hospitals Trust
• Essex Partnership University FT
• George Eliot Hospital Trust
• Greater Manchester Mental Health FT
• Hampshire Hospitals FT
• Hull and East Yorkshire Trust
• Humber FT
• James Paget University Hospitals FT
• Lancashire Care FT
• Lancashire Teaching Hospital Trust
• Mid Essex Hospital Services Trust
• Norfolk and Norwich University Hospital FT
• North Cumbria University Hospitals Trust
• Northern Lincolnshire and Goole FT
• Northumbria Healthcare FT
• Nottinghamshire Healthcare FT
• Plymouth Hospitals Trust
• Royal Berkshire Hospital FT
• Salford Royal FT
• Shrewsbury and Telford Hospital Trust
• Solent Trust
• Southport and Ormskirk Hospital Trust
• The Dudley Group FT
• United Lincolnshire Hospitals Trust
• University Hospitals of Morecambe Bay FT
• Wrightington, Wigan and Leigh FT
• York Teaching Hospitals FT

Trusts disrupted but not infected by WannaCry

• Airedale FT
• Ashford and St Peter’s Hospitals FT
• Barking, Havering and Redbridge University Hospitals Trust
• Barnsley Hospital FT
• Bedford Hospital Trust
• Bradford Teaching Hospitals FT
• Brighton and Sussex University Hospitals Trust
• Buckinghamshire Healthcare FT
• Calderdale and Huddersfield FT
• Central London Community Healthcare Trust
• Chelsea and Westminster Hospital FT
• Doncaster and Bassetlaw Hospitals FT
• Dorset Healthcare FT
• East Kent Hospitals University FT
• Great Ormond Street Hospital FT
• Guy’s and St Thomas’ FT
• Harrogate and District FT
• Kettering General Hospital FT
• Kingston Hospital Trust
• Leeds and York Partnership FT
• Leeds Community Healthcare Trust
• Leeds Teaching Hospitals Trust
• Leicestershire Partnership Trust
• Lincolnshire Community Health Services Trust
• Lincolnshire Partnership Trust
• London North West Healthcare Trust
• Luton and Dunstable Trust
• Mid Yorkshire Hospitals Trust
• Moorfields Eye Hospital FT
• North West Ambulance Service Trust
• Northampton General Hospital Trust
• Northamptonshire Healthcare FT
• Rotherham, Doncaster and South Humber FT
• Sheffield Children’s FT
• Sheffield Health and Social Care FT
• Sheffield Teaching Hospitals FT
• South West Yorkshire Partnership FT
• South Western Ambulance Service FT
• Sussex Community FT
• The Rotherham FT
• University Hospitals of Leicester Trust
• West Hertfordshire Hospitals Trust
• West London Mental Health Trust
• Yorkshire Ambulance Service Trust