• NAO investigation finds at least 139 urgent cancer referrals cancelled after WannaCry cyberattack
  • Investigation criticises NHS England and DH response, and “absence of timely central direction”
  • Central bodies were ignorant of NHS’s cybersecurity arrangements and had not rehearsed national response
  • Nearly 600 GP practices shut down after infection

An investigation into the unprecedented WannaCry cyberattack on the NHS has revealed more than 130 urgent cancer referrals were cancelled and more than 1,000 medical devices were infected.

The National Audit Office investigation into 12 May’s ransomware attack, published today, was also critical of the Department of Health and NHS England for not testing plans for a major cyberattack – despite warnings a year earlier that an attack was likely.

Moira fraser

Moira Fraser: ‘Cancer patients should not be subjected to avoidable delays due to IT’

The NAO report said: “As the NHS had not rehearsed for a national cyberattack it was not immediately clear who should lead the response and there were problems with communications.”

Commons public accounts committee chair, Labour MP Meg Hillier, said: “The DH failed to agree a plan with the NHS locally for dealing with cyberattacks so the NHS response came too late in the day. The NHS and the department need to get serious about cybersecurity or the next incident could be far worse.”

The NAO investigation revealed for the first time that at least 139 urgent cancer referrals were cancelled in the space of six days after the attack, however the actual number could be higher.

In addition, at least 1,220 pieces of diagnostic equipment were infected, preventing basic clinical tasks such as MRI scans and blood tests.

Despite these disruptions, the NAO said NHS organisations had not reported any harm to patients resulting from the attack.

Other NAO findings included

  • There was an “absence of timely central direction” after the WannaCry attack.
  • The DH and other central bodies did not know the preparedness of the NHS for a major cyberattack. No single agency had clear responsibility for ensuring NHS organisations had robust cybersecurity.
  • At least 81 NHS trusts were disrupted including 37 directly infected with the WannaCry virus (see list below). These figures are similar to those revealed by HSJ’s analysis in July.
  • At least 595 GP practices were infected, with another 15 primary care organisations reporting disruptions. The attack occurring on a Friday meant the impact on primary care over the weekend was minimal.
  • NHS England confirmed at least 6,912 appointments were cancelled but estimated the true figure was closer to 19,000. Five hospitals had to divert accident and emergency patients to neighbouring units.
  • Most infected trusts were running the latest Windows operating system, but had not applied the latest security updates. Unsupported software (Windows XP) played a role in only a few trusts and was primarily related to medical devices.
  • Some NHS organisations appeared to have been fortunate, with 21 trusts and 71 GP surgeries attempting to connect with the WannaCry domain but avoiding losing access to their IT systems.
  • NHS Digital believes the virus travelled through an NHS private broadband network not an email link.

Despite the NAO saying NHS England had not rehearsed for a major cyberattack, chief clinical information officer Keith McNeil said emergency plans were “tried and tested” and “activated quickly”.

“Our hard working NHS staff went the extra mile to provide patient care, keeping the impact on NHS services and patients to a minimum,” Dr McNeil told HSJ.

Macmillan Cancer Support policy director Moira Fraser said: “A secure, efficient IT infrastructure is clearly a vital aspect of timely cancer care. The NHS must take steps to ensure people’s cancer treatment is not affected by future cyberattacks. Cancer patients should not be subjected to avoidable delays due to IT.”

NHS Providers’ development and operations director, Ben Clacy, added the NHS was taking national and local steps to prepare for the next attack, but more capital investment was needed.

He said: “This incident was a powerful reminder that we need significant capital investment to ensure we can deal with the threat of cybercrime in the future.”

The DH announced new cyber security requirements for NHS organisations in July, two months after the attack, including £21m to improve cyber resilience for major trauma centres.

NHS England has also been making the case for additional capital for cybersecurity in the autumn budget.

Trusts infected by WannaCry ransomware

  • Barts Health Trust
  • Birmingham Community Foundation Trust
  • Blackpool Teaching Hospitals FT
  • Bradford District Care FT
  • Bridgewater Community Healthcare FT
  • Central Manchester University Hospitals FT
  • Colchester Hospital University FT
  • Cumbria Partnership FT
  • East and North Hertfordshire Trust
  • East Cheshire Trust
  • East Lancashire Teaching Hospitals Trust
  • Essex Partnership University FT
  • George Eliot Hospital Trust
  • Greater Manchester Mental Health FT
  • Hampshire Hospitals FT
  • Hull and East Yorkshire Trust
  • Humber FT
  • James Paget University Hospitals FT
  • Lancashire Care FT
  • Lancashire Teaching Hospital Trust
  • Mid Essex Hospital Services Trust
  • Norfolk and Norwich University Hospital FT
  • North Cumbria University Hospitals Trust
  • Northern Lincolnshire and Goole FT
  • Northumbria Healthcare FT
  • Nottinghamshire Healthcare FT
  • Plymouth Hospitals Trust
  • Royal Berkshire Hospital FT
  • Salford Royal FT
  • Shrewsbury and Telford Hospital Trust
  • Solent Trust
  • Southport and Ormskirk Hospital Trust
  • The Dudley Group FT
  • United Lincolnshire Hospitals Trust
  • University Hospitals of Morecambe Bay FT
  • Wrightington, Wigan and Leigh FT
  • York Teaching Hospitals FT

Trusts disrupted but not infected by WannaCry

  • Airedale FT
  • Ashford and St Peter’s Hospitals FT
  • Barking, Havering and Redbridge University Hospitals Trust
  • Barnsley Hospital FT
  • Bedford Hospital Trust
  • Bradford Teaching Hospitals FT
  • Brighton and Sussex University Hospitals Trust
  • Buckinghamshire Healthcare FT
  • Calderdale and Huddersfield FT
  • Central London Community Healthcare Trust
  • Chelsea and Westminster Hospital FT
  • Doncaster and Bassetlaw Hospitals FT
  • Dorset Healthcare FT
  • East Kent Hospitals University FT
  • Great Ormond Street Hospital FT
  • Guy’s and St Thomas’ FT
  • Harrogate and District FT
  • Kettering General Hospital FT
  • Kingston Hospital Trust
  • Leeds and York Partnership FT
  • Leeds Community Healthcare Trust
  • Leeds Teaching Hospitals Trust
  • Leicestershire Partnership Trust
  • Lincolnshire Community Health Services Trust
  • Lincolnshire Partnership Trust
  • London North West Healthcare Trust
  • Luton and Dunstable Trust
  • Mid Yorkshire Hospitals Trust
  • Moorfields Eye Hospital FT
  • North West Ambulance Service Trust
  • Northampton General Hospital Trust
  • Northamptonshire Healthcare FT
  • Rotherham, Doncaster and South Humber FT
  • Sheffield Children’s FT
  • Sheffield Health and Social Care FT
  • Sheffield Teaching Hospitals FT
  • South West Yorkshire Partnership FT
  • South Western Ambulance Service FT
  • Sussex Community FT
  • The Rotherham FT
  • University Hospitals of Leicester Trust
  • West Hertfordshire Hospitals Trust
  • West London Mental Health Trust
  • Yorkshire Ambulance Service Trust

The HSJ Strategic Estates Forum is taking place on 20 March at BMA House in London. This is a high-level strategic forum that brings together estates directors, STP estates leads and trust board leaders responsible for the estates function who are developing strategic plans for their organisations and local health economies. The focus of the forum is on issues such as the delivery vehicle for the Naylor Report, the creation of Project Phoenix, advice on establishing SEPs (Strategic Estates Partnerships) and assessing progress of STP estates plans. Sir Robert Naylor, National Adviser, NHS Property and Estates; David Williams, Director General of Finance, Department of Health and Simon Corben, Head of Profession, NHS Improvement are all confirmed as keynote speakers for the event. Register your interest for this free-to-attend event on our website: https://strategicestates.hsj.co.uk/register-your-interest-attending


NHS told to 'get serious' as full impact of cyberattack revealed