An independent investigation into the WannaCry cyber-attack makes uncomfortable reading for the NHS. The National Audit Office (NAO) report castigates the health service for being unprepared for what the NAO calls a relatively unsophisticated attack, which “could have been prevented by the NHS following basic IT security best practice.” It also highlights fundamental crisis management flaws.
The WannaCry attack, which saw a ransom demand issued to unfreeze computer terminals, caused widespread disruption and led to the cancellation of thousands of appointments and operations.
As long ago as 2014 the Department of Health and the Cabinet Office wrote to NHS Trusts saying it was essential they had “robust plans” to migrate away from old software.
In March and April of this year, NHS Digital warned organisations to patch their systems to help make them more secure. Unfortunately, the Department had no formal way of knowing whether NHS Trusts had complied with their advice and updated their systems.
Prior to the attack, NHS Digital carried out an “on-site cybersecurity assessment” at 88 health trusts in England. None of the trusts passed, but the agency had no powers to force them to “take remedial action”.
What the report doesn’t mention, presumably because it is outside its remit, is that upgrades cost money, something in short supply at the NHS. As every computer user knows, when you replace software, applications and equipment often no longer work and they too need replacing.
However, from a crisis management perspective, it is less easy to be charitable as dealing with a cyber-attack isn’t just about getting the technology right.
Plan not tested
The report found that the Department “had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level.”
The NHS is generally excellent at responding to major incidents but was left floundering in the wake of a cyber-strike. It took the various NHS Trusts far too long to “determine the cause of the problem, the scale of the problem and the number of organisations and people affected.”
Major communication problems
As guidelines were sparse and the NHS had not simulated a cyber-attack during an exercise it wasn’t clear who should lead the response and the report suggests there were major communication problems. Rule number one in crisis management is knowing who is in charge and who can take decisions.
At 18:45 on the day of the attack, NHS England initiated its Emergency, Preparedness, Resilience and Response Plans to act as the single point of coordination for incident management. But as these processes had not been tested, local organisations reported the attack to many different organisations both inside the health sector and beyond, including the police.
Communication was made more difficult as many local organisations were unable to communicate with national NHS bodies by email as they had been infected by WannaCry. Some had shut down their email systems as a precaution.
There is no doubt the NHS is good at improvising in a crisis and on a local level many staff used WhatsApp successfully on their personal devices to share information.
The report itemises some essential improvements the NHS need to undertake and frankly it is all crisis management 101. They need to:
- Develop a response plan setting out what the NHS should do in the event of a cyber-attack and establish the roles and responsibilities of local and national NHS bodies and the Department.
- Ensure organisations implement critical CareCERT alerts, including applying software patches and keeping anti-virus software up to date.
- Ensure essential communications are getting through during an incident when systems are down.
- Ensure that organisations, boards and their staff are taking the cyber threat seriously, understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise the impact on patient care.
For businesses, cyber is a category one threat and the financial sector in particular takes this risk extremely seriously. In most cases banks and insurance companies plan, train and stage crisis management simulations for such an eventuality. Something the NHS singularly failed to do. Bringing NHS IT up to scratch will cost money and take time. Basic crisis management processes and protocols should be implemented immediately.