Out-Law News 3 min. read

NHS cyber incident response plan not tested locally prior to 'WannaCry' attack, NAO finds

A cyber incident response plan developed by the UK government was not tested locally across NHS trusts in England before a major cyber attack hit earlier this year, a report by the National Audit Office (NAO) has found.

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the report highlighted the importance of testing cyber incident response plans thoroughly and regularly, regardless which sector organisations are operating in.

Thousands of organisations around the world, including NHS bodies in the UK, were locked out of systems and data as a result of the so-called 'WannaCry' ransomware attack in May. The ransomware spread to systems that were running on out-of-date software that contained a vulnerability, despite the fact a security update for that software had been available since mid-March.

The NAO said (35-page / 2.51MB PDF) its investigation into the incident found that the Department of Health's incident response plan "included roles and responsibilities of national and local organisations for responding to an attack", but that because it was not tested "the NHS was not clear what actions it should take when affected by WannaCry". This resulted in an uncoordinated response to the attack, it said.

"As NHS England had not rehearsed its response to a cyber attack it faced a number of challenges," the NAO said. "The cyber attack was less visible than other types of incident and not confined to local areas or regions in the way a major transport accident would have been, for example. This meant that it took more time to determine the cause of the problem, the scale of the problem and the number of people and organisations affected."

"Without clear guidelines on responding to a national cyber attack, organisations reported the attack to different sources including the local police, NHS England and NHS Digital. For the same reason communications to patients and local organisations also came from a number of sources," the report said.

Birdsey said: "Developing a robust cyber incident response plan is an important first step, but the journey does not end there. It is critical that the plan is tested, reviewed and developed over time. It should be a living document which evolves and responds to the cyber threat landscape."

According to the NAO report, a failure to "maintain good cyber-security practices" exposed many NHS trusts to the risk of attack.

"The Department [of Health] and Cabinet Office wrote to trusts in 2014, saying it was essential they had 'robust plans' to migrate away from old software, such as Windows XP, by April 2015," the NAO said. "In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance."

"Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed. However, NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation," it said.

Birdsey said: "It is interesting that a lot of good work had been undertaken at a central level, for example advice given to trusts on patching and updating technology. However, dealing with, managing, and mitigating cyber risk is a team sport, and cybersecurity measures are only as strong as the weakest link. This is reinforced by the findings that no trusts passed the NHS Digital audits prior to the incident."

At least 34% of trusts in England were impacted by WannaCry, although it is not clear what the full extent of the disruption was, the NAO said. The Department of Health said that more than 19,000 patient appointments may have been cancelled as a result of the attack, but the cost to the NHS of the disruption is unknown, according to the report.

Ransomware is a type of cyber attack that sees hackers install malicious software on to computer systems that prevent businesses carrying out everyday operations or accessing data or other assets. Businesses are prompted to make a payment to the hackers to decrypt data encrypted by the attack.

None of the NHS organisations affected by WannaCry paid the ransom demanded, the NAO's report said.

Birdsey said organisations are increasingly realising the business interruption cost of a cyber incident and that this is having a positive impact on the growth of the cyber insurance market and the focus on broader cyber risks such as business interruption

"To date, the primary focus has been on privacy and data loss aspects," Birdsey said. "However, the recent WannaCry and NotPetya incidents have caused substantial business interruption losses, including substantial supply chain disruption. Such claims are now hitting the cyber and more general insurance markets."

Birdsey said that robust disaster recovery and business continuity plans can help organisations hit by ransomware attacks to avoid having to pay the ransom.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.