A picture of the National Audit Office logo Report by the Comptroller and Auditor General Department of Health Investigation WannaCry cyber attack and the NHS HC 414 SESSION 2017-2019 27 OCTOBER 2017 Our vision is to help the nation spend wisely Our public audit perspective helps Parliament hold government to account and improve public services The National Audit Office scrutinises public spending for Parliament and is independent of government The Comptroller and Auditor General C AG Sir Amyas Morse KCB is an Officer of the House of Commons and leads the NAO The C AG certifies the accounts of all government departments and many other public sector bodies He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently effectively and with economy Our studies evaluate the value for money of public spending nationally and locally Our recommendations and reports on good practice help government improve public services and our work led to audited savings of GBP734 million in 2016 Department of Health Investigation WannaCry cyber attack and the NHS Report by the Comptroller and Auditor General Ordered by the House of Commons to be printed on 25 October 2017 This report has been prepared under Section 6 of the National Audit Act 1983 for presentation to the House of Commons in accordance with Section 9 of the Act Sir Amyas Morse KCB Comptroller and Auditor General National Audit Office 24 October 2017 HC 414 GBP10 00 This report investigates the NHS's response to the cyber attack that affected it in May 2017 and the impact on health services Investigations We conduct investigations to establish the underlying facts in circumstances where concerns have been raised with us or in response to intelligence that we have gathered through our wider work C National Audit Office 2017 The material featured in this document is subject to National Audit Office NAO copyright The material may be copied or reproduced for non-commercial purposes only namely reproduction for research private study or for limited internal circulation within an organisation for the purpose of review Copying for non-commercial purposes is subject to the material being accompanied by a sufficient acknowledgement reproduced accurately and not being used in a misleading context To reproduce NAO copyright material for any other use you must contact copyright@nao gsi gov uk Please tell us who you are the organisation you represent if any and how and why you wish to use our material Please include your full contact details name address telephone number and email Please note that the material featured in this document may not be reproduced for commercial gain without the NAO's express and direct permission and that the NAO reserves its right to pursue copyright infringement proceedings against individuals or companies who reproduce material for commercial gain without our permission Links to external websites were valid at the time of publication of this report The National Audit Office is not responsible for the future validity of the links 11594 10 17 NAO Contents What this investigation is about 4 Summary 5 Part One The impact of the cyber attack 11 Part Two Why some parts of the NHS were affected 16 Part Three How the Department and the NHS responded 21 Appendix One Our investigative approach 28 Appendix Two Trusts infected or disrupted by WannaCry 30 The National Audit Office study team consisted of Finnian Bamber Alex Bowyer Nigel Leung Francisca Lopes Linda Mills and David Williams under the direction of Robert White This report can be found on the National Audit Office website at www nao org uk For further information about the National Audit Office please contact National Audit Office Press Office 157-197 Buckingham Palace Road Victoria London SW1W 9SP Tel 020 7798 7400 Enquiries www nao org uk contact-us Website www nao org uk Twitter @NAOorguk If you are reading this document using a screen reader you may wish to use the bookmarks to navigate around this document 4 What this investigation is about Investigation WannaCry cyber attack and the NHS What this investigation is about 1 On Friday 12 May 2017 a global ransomware attack known as WannaCry affected more than 200 000 computers in at least 100 countries In the UK the attack particularly affected the NHS although it was not the specific target At 4 pm on 12 May NHS England declared the cyber attack a major incident and implemented its emergency arrangements to maintain health and patient care On the evening of 12 May a cyber-security researcher activated a kill-switch so that WannaCry stopped locking devices 2 According to NHS England the WannaCry ransomware affected at least 81 out of the 236 trusts across England because they were either infected by the ransomware or turned off their devices or systems as a precaution A further 603 primary care and other NHS organisations were also infected including 595 GP practices 3 Before the WannaCry attack the Department of Health the Department and its arm's-length bodies had work under way to strengthen cyber-security in the NHS For example NHS Digital was broadcasting alerts about cyber threats providing a hotline for dealing with incidents sharing best practice and carrying out on-site assessments to help protect against future cyber attacks and NHS England had embedded the 10 Data Security Standards recommended by the National Data Guardian in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats In light of the WannaCry attack the Department announced further plans to strengthen NHS organisations' cyber-security 4 Our investigation focuses on events immediately before 12 May 2017 and up until 30 September 2017 We only cover the effect the WannaCry attack had on the NHS in England We do not cover how the WannaCry attack affected other countries or organisations outside the NHS A cyber attack on either the health or social care sectors could cause disruption across the whole health and social care sector For example the Care Quality Commission CQC told us that as some trusts were unable to communicate with social services there could have been delays in the discharge of patients from hospital to social care although the CQC relayed advice from NHS Digital and NHS England to social care providers to help manage any disruption This investigation sets out the facts about o the ransomware attack's impact on the NHS and its patients o why some parts of the NHS were affected and o how the Department and NHS national bodies responded to the attack Investigation WannaCry cyber attack and the NHS Summary 5 Summary 1 The WannaCry attack affected NHS services in the week from 12 May to 19 May 2017 The Department of Health the Department and NHS England worked with NHS Digital NHS Improvement the National Cyber Security Centre the National Crime Agency and others to respond to the attack Key findings The risk of a cyber attack affecting the NHS 2 WannaCry was the largest cyber attack to affect the NHS although individual trusts had been attacked before 12 May 2017 For example two of the trusts infected by WannaCry had been infected by previous cyber attacks One of England's biggest trusts Barts Health NHS Trust had been infected before and Northern Lincolnshire and Goole NHS Foundation Trust had been subject to a ransomware attack in October 2016 leading to the cancellation of 2 800 appointments paragraph 3 7 and Figure 5 3 The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work under way it did not formally respond with a written report until July 2017 The Secretary of State for Health asked the National Data Guardian and the Care Quality Commission CQC to undertake reviews of data security These reports were published in July 2016 and warned the Department that cyber attacks could lead to patient information being lost or compromised and jeopardise access to critical patient record systems They recommended that all health and care organisations needed to provide evidence that they were taking action to improve cyber-security including moving off old operating systems Although the Department and its arm's-length bodies had work under way to improve cyber-security in the NHS the Department did not publish its formal response to the recommendations until July 2017 paragraphs 3 6 and 3 11 6 Summary Investigation WannaCry cyber attack and the NHS 4 The Department and its arm's-length bodies did not know whether local NHS organisations were prepared for a cyber attack Local healthcare organisations such as trusts and clinical commissioning groups are responsible for keeping the information they hold secure and for having arrangements in place to respond to an incident or emergency including a cyber attack Local healthcare bodies are overseen by the Department and its arm's-length bodies The Department and Cabinet Office wrote to trusts in 2014 saying it was essential they had robust plans to migrate away from old software such as Windows XP by April 2015 In March and April 2017 NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry However before 12 May 2017 the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance Prior to the attack NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts and none had passed However NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of an organisation paragraphs 2 5 2 7 2 10 to 2 12 and 3 2 and Figure 4 How the WannaCry attack affected the NHS 5 The attack led to disruption in at least 34% of trusts in England although the Department and NHS England do not know the full extent of the disruption Figure 1 On 12 May NHS England initially identified 45 NHS organisations including 37 trusts that had been infected by the WannaCry ransomware Over the following days more organisations reported they had been affected In total at least 81 out of 236 trusts across England were affected The trusts included o 37 infected and locked out of devices of which 27 were acute trusts and o 44 not infected but reporting disruption For example these trusts shut down their email and other systems as a precaution and on their own initiative as they had not received central advice early enough on 12 May to inform their decisions on what to do This meant for example that they had to use pen and paper for activities usually performed electronically NHS England and NHS Digital identified a further 21 trusts that were attempting to contact the WannaCry domain but were not locked out of their devices There are two possible reasons for this Trusts may have become infected after the kill-switch had been activated and were therefore not locked out of their devices Alternatively they may have contacted the WannaCry domain as part of their cyber-security activity A further 603 primary care and other NHS organisations were infected by WannaCry including 595 GP practices However the Department does not know how many NHS organisations could not access records or receive information because they shared data or systems with an infected trust NHS Digital told us that it believes no patient data were compromised or stolen paragraphs 1 2 to 1 5 and 1 9 and Figure 1 44 Trusts not infected but reporting disruption Patient appointments cancelled 7 GP practices and other organisations not infected but reporting disruption 595 GP practices infected and locked out of devices Some of the trusts identified as not infected but reporting disruption did have a small number of devices infected However they did not report themselves to NHS England as infected and NHS England did not recategorise them as being infected after the WannaCry attack was over Some trusts GP practices and other organisations were identified as having systems that attempted to contact the WannaCry domain but were not locked out of their devices There are two possible explanations for this they could have become infected after the kill-switch had been activated Or they could have avoided infection but contacted the WannaCry domain as part of their cyber-security activity NHS England does not know which organisations fall into each category 3 4 Source National Audit Office analysis of NHS England data The numbers shown are based on organisations self-reporting problems to national bodies and NHS England and NHS Digital's analysis of internet activity and may be higher if some organisations did not report the problems they experienced in a timely or accurate way 2 Notes 1 'Other organisations' include clinical commissioning groups commissioning support units an NHS 111 provider and non-NHS bodies that provide NHS care such as a hospice social enterprise and community interest companies Number of patients diverted from accident and emergency departments at infected trusts to other organisations includes patients conveyed in an ambulance Number of trusts or GPs that were delayed in receiving information such as test results from infected trusts 71 GP practices and other organisations where systems were attempting to contact WannaCry domain but not locked out of devices 8 Other organisations infected and locked out of devices Primary care and other NHS organisations Number of NHS organisations unable to access records because they shared data or systems with an infected trust Unknown disruption 21 Trusts where systems were attempting to contact WannaCry domain but not locked out of devices Hospital care Patient appointments cancelled Estimated 19 494 Including cancelled patient operations 37 Including 27 acute trusts Trusts infected and locked out of devices Known disruption The NHS experienced a wide range of disruption as a consequence of the WannaCry cyber attack Figure 1 The impact of WannaCry on the NHS Figure 1 shows that the NHS experienced a wide range of disruption as a consequence of the WannaCry cyber attack Investigation WannaCry cyber attack and the NHS Summary 7 8 Summary Investigation WannaCry cyber attack and the NHS 6 Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments Between 12 May and 18 May NHS England collected some information on cancelled appointments to help it manage the incident but this did not include all types of appointment NHS England identified 6 912 appointments had been cancelled and estimated more than 19 000 appointments would have been cancelled in total based on the normal rate of follow-up appointments to first appointments NHS England told us it does not plan to identify the actual number because it is focusing its efforts on responding appropriately to the lessons learned from WannaCry As data were not collected during the incident neither the Department nor NHS England know how many GP appointments were cancelled or how many ambulances and patients were diverted from the five accident and emergency departments that were unable to treat some patients paragraphs 1 7 1 8 and 1 10 and Figure 1 7 The Department NHS England and the National Crime Agency told us that no NHS organisation paid the ransom but the Department does not know how much the disruption to services cost the NHS The Department NHS England and the National Crime Agency told us no NHS organisation paid the ransom NHS Digital told us it advised the trusts it spoke to not to pay the ransom and wrote to all trusts on 14 May advising against the payment of ransoms The Department does not know the cost of the disruption to services Costs include cancelled appointments additional IT support provided by local NHS bodies or IT consultants or the cost of restoring data and systems affected by the attack National and local NHS staff worked overtime including over the weekend of 13-14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May paragraphs 1 11 and 1 12 8 The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a 'kill-switch' On the evening of 12 May a cyber-security researcher activated a 'kill-switch' so that WannaCry stopped locking devices This meant that some NHS organisations had been infected by the WannaCry ransomware but because of the researcher's actions they were not locked out of their devices and systems Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations including 21 trusts as contacting the WannaCry domain although some of these may have been contacting the domain as part of their cyber-security activity Of the 37 trusts infected and locked out of devices 32 were located in the North NHS region and the Midlands and East NHS region NHS England believes more organisations were infected in these regions because they were hit early on 12 May before the WannaCry 'kill-switch' was activated paragraphs 1 14 and 2 2 and Figure 3 Investigation WannaCry cyber attack and the NHS Summary 9 The NHS response to the attack 9 The Department had developed a plan which included roles and responsibilities of national and local organisations for responding to an attack but had not tested the plan at a local level This meant the NHS was not clear what actions it should take when affected by WannaCry NHS England found that responding to WannaCry was different from dealing with other incidents such as a major transport accident Because WannaCry was different it took more time to determine the cause of the problem the scale of the problem and the number of organisations and people affected paragraph 3 3 and Figure 2 10 As the NHS had not rehearsed for a national cyber attack it was not immediately clear who should lead the response and there were problems with communications The WannaCry attack began on the morning of 12 May At 4 pm NHS England declared the cyber attack a major incident and at 6 45 pm initiated its existing Emergency Preparedness Resilience and Response plans to act as the single point of coordination for incident management with support from NHS Digital and NHS Improvement In the absence of clear guidelines on responding to a national cyber attack local organisations reported the attack to different organisations within and outside the health sector including local police Communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution although NHS Improvement did communicate with trusts' chief executive officers by telephone Locally NHS staff shared information through personal mobile devices including using the encrypted WhatsApp application Although not an official communication channel national bodies and trusts told us it worked well during this incident paragraphs 3 3 to 3 5 and Figure 2 11 In line with its existing procedures for managing a major incident NHS England initially focused on maintaining emergency care Since the attack occurred on a Friday this caused minimal disruption to primary care services which tend to be closed over the weekend Twenty-two of the 27 infected acute trusts managed to continue treating urgent and emergency patients throughout the weekend However five - in London Essex Hertfordshire Hampshire and Cumbria - had to divert patients to other accident and emergency departments and a further two needed outside help to continue treating patients By 16 May only two hospitals were still diverting patients The recovery was helped by the work of the cyber-security researcher that stopped WannaCry spreading paragraphs 1 7 1 13 and 1 14 10 Summary Investigation WannaCry cyber attack and the NHS Lessons learned 12 NHS Digital told us that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware However whether organisations had patched their systems or not taking action to manage their firewalls facing the internet would have guarded organisations against infection NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems Unsupported devices those on XP were in the minority of identified issues NHS Digital has also confirmed that the ransomware spread via the internet including through the N3 network the broadband network connecting all NHS sites in England but that there were no instances of the ransomware spreading via NHSmail the NHS email system paragraphs 1 2 1 6 and 2 4 to 2 6 13 There was no clear relationship between vulnerability to the WannaCry attack and leadership in trusts We found no clear relationship between trusts infected by WannaCry and the quality of their leadership as rated by the Care Quality Commission paragraph 2 8 14 The NHS has accepted that there are lessons to learn from WannaCry and is taking action Lessons identified by the Department and NHS national bodies include the need to o develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department o ensure organisations implement critical CareCERT alerts emails sent by NHS Digital providing information or requiring action including applying software patches and keeping anti-virus software up to date o ensure essential communications are getting through during an attack when systems are down and o ensure that organisations boards and their staff are taking the cyber threat seriously understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise impacts on patient care Since WannaCry NHS England and NHS Improvement have written to every trust clinical commissioning group and commissioning support unit asking boards to ensure that they have implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and taken essential action to secure local firewalls paragraphs 3 8 and 3 9 Investigation WannaCry cyber attack and the NHS Part One 11 Part One The impact of the cyber attack 1 1 WannaCry was the largest ever cyber attack to affect the NHS in England The timeline of the main events relating to the WannaCry ransomware attack which affected NHS services in the week from 12 May to 19 May 2017 is set out in Figure 2 overleaf The scale of the attack 1 2 NHS Digital told us that the ransomware spread via the internet including through the N3 network As shown in Figure 1 page 7 the WannaCry ransomware attack affected at least 81 out of 236 trusts across England These numbers are based on NHS organisations' own reports to NHS England Of these 81 trusts there were o 37 trusts infected and locked out of devices of which 27 were acute trusts and o 44 trusts not infected but reporting disruption NHS England and NHS Digital identified a further 21 trusts that were attempting to contact the WannaCry domain but were not locked out of their devices There are two possible reasons for this Trusts may have become infected after the kill-switch had been activated and were therefore not locked out of their devices 1 Alternatively they may have contacted the WannaCry domain as part of their cyber-security activity 1 3 The trusts infected by the WannaCry ransomware experienced two main types of disruption including o NHS staff being locked out of devices which prevented or delayed staff accessing and updating patient information sending test results to patients' GPs and transferring or discharging patients from hospital and o medical equipment and devices being locked or isolated from trusts' IT systems to prevent them being locked This meant trusts' radiology and pathology departments were disrupted as the trusts relied on the equipment and devices for diagnostic imaging such as MRI scanners and for testing blood and tissue samples 1 A 'kill-switch' is a mechanism that is incorporated into software to shut down that software or the device on which it sits in an emergency situation in which it cannot be shut down in the usual manner Monday 15 May Tuesday 16 May - Only two trusts diverting patients away from A E Source National Audit Office Initially unclear as to who was taking the lead The Department of Health leads on cyber issues but once it was clear it was a major operational incident NHS England took the lead Social media was also reporting the cyber attack Front-line staff in organisations were calling up either NHS England or NHS Digital as well as the police Friday 12 May Friday 19 May 5 30pm Friday 19 May - Incident is stood down by NHS England There was no formal mechanism for assessing whether NHS organisations had complied with NHS Digital's instructions so one was put in place This involved NHS England's Emergency Preparedness Resilience and Response team requiring providers to confirm action had been taken on a number of items Five trusts were unable to provide emergency care so arranged to divert patients to other locations 595 GP practices and 45 other NHS organisations infected including 27 acute trusts NHS England worked with IT suppliers of GP practices commissioning support units or private sector support to 'patch' GPs' IT systems Ensuring trusts and primary care organisations had up-to-date antivirus software installed on their systems Monday 15 May - Friday 19 May - Third phase of NHS England's response Remedial phase Saturday 13 May - Monday 15 May - Second phase of NHS England's response Ensure that primary care services were stable Friday 12 May - Sunday 14 May - First phase of NHS England's response Focus on securing emergency care pathways Friday 12 May - Global ransomware attack By the evening of Sunday 14 May - 3 486 GP practices 44% had applied necessary patches Evening - Cyber expert discovers 'kill-switch' and stops malware spreading further 6 45 pm - Decision that NHS England would lead the response co-ordinating with key partners particularly NHS Digital 4 00 pm - NHS England declares the cyber attack a national major incident 1 06 pm - First notification to NHS England's Emergency Preparedness Resilience and Response team of the attack Late morning - First trusts begin to report problems Friday 12 May NHS England emergency response to WannaCry lasted one week Figure 2 Timeline of the WannaCry attack from 12 May to 19 May 2017 Figure 2 shows The Department has major projects covering most of its priority areas 12 Part One Investigation WannaCry cyber attack and the NHS Investigation WannaCry cyber attack and the NHS Part One 13 As at 19 May 2017 NHS England had identified 1 220 pieces of diagnostic equipment that had been infected 1% of all such NHS equipment Although a relatively small proportion of devices the figure does not include devices disconnected from IT systems to prevent infection The trusts we spoke to told us about the disruption they had experienced due to diagnostic equipment being infected or isolated such as not being able to send MRI scan results to clinicians treating patients in other parts of the hospital 1 4 The disruption at trusts not infected by the ransomware was caused by o the absence of timely central direction leading to the trusts taking actions on their own initiative to avoid becoming infected including shutting down devices or isolating devices from their networks to protect themselves from the ransomware or o trusts not being able to access electronic patient records or receive information such as test results because they shared data or systems with an infected trust which had shut down its systems or o trusts disconnecting from the N3 network the broadband network connecting all NHS sites in England 1 5 The disruption at these trusts took a number of forms For example some trusts had to use manual workarounds to perform their usual tasks such as providing medication to patients and record information using pen and paper In addition organisations could not receive external emails so communication with national bodies and others outside their trust was severely limited 1 6 Despite widespread local disruption NHS Digital told us that national NHS IT systems managed by NHS Digital were not infected such as the NHS Spine a service holding secure databases of demographic and clinical information and NHSmail the NHS email system 1 7 Of the 27 acute trusts infected and locked out of devices five had to divert emergency ambulance services to other hospitals The five trusts and hospitals were o Barts Health NHS Trust Royal London Hospital o Mid Essex Hospital Services NHS Trust Broomfield Hospital o East and North Hertfordshire NHS Trust Lister Hospital o Hampshire Hospitals NHS Foundation Trust Basingstoke Hospital and o North Cumbria University Hospitals NHS Trust West Cumberland Hospital 14 Part One Investigation WannaCry cyber attack and the NHS The impact on patients 1 8 As infected NHS organisations could not access important information and electronic systems including patient records they had to cancel appointments and operations and some trusts had to divert patients to other accident and emergency departments Between 12 May and 18 May NHS England collected some information on how many appointments had been cancelled to help it manage the incident but did not collect data on all types of appointment NHS England identified that the NHS had cancelled 6 912 appointments but this figure does not include repeat outpatient appointments and cancellations identified after 18 May NHS England estimated the total number of cancelled appointments as being around 19 494 based on the normal rate of follow-up appointments to first appointments but told us it does not plan to identify the actual number because it is focusing its efforts on responding appropriately to the lessons learned from WannaCry NHS England did not collect data on how many GP appointments were cancelled or how many ambulances and patients were diverted from the accident and emergency departments that were unable to treat patients 1 9 NHS organisations did not report any cases of harm to patients or of data being compromised or stolen If the WannaCry ransomware attack had led to any patient harm or loss of data then NHS England told us that it would expect trusts to report cases through existing reporting channels such as reporting data loss direct to the Information Commissioner's Office ICO in line with existing policy and guidance on information governance NHS Digital also told us that analysis of the WannaCry ransomware suggested that the cyber attack was not aimed at accessing or stealing data although it does not know for certain that this is the case 1 10 The NHS continued to provide emergency care from 12 May to 19 May although some patients had to travel further as five hospitals had diverted services paragraph 1 7 Patients with planned appointments experienced most disruption Cancer charities including Macmillan Cancer Support and Cancer Research UK reported cancellations causing distress to patients NHS England's own review identified at least 139 patients who had an urgent referral for potential cancer cancelled as at 18 May although the actual number may be higher if trusts misreported during the data collection or identified cancellations after 18 May The financial impact 1 11 The Department of Health the Department NHS England and the National Crime Agency have told us that no NHS organisations paid the ransom NHS Digital told us it advised against the payment of the WannaCry ransom during site visits and telephone conferences with infected trusts Furthermore NHS England and NHS Digital wrote to all trusts on 14 May advising them against the payment of ransoms but these emails did not always reach trusts after that attack had begun Investigation WannaCry cyber attack and the NHS Part One 15 1 12 The NHS has not calculated the total cost of cancelled appointments of NHS staff overtime of additional IT support provided by NHS local bodies or IT consultants or the cost of restoring data and systems affected by the attack For example trusts and other NHS organisations had to roll back systems and restore data and systems including re-entering data recorded manually while trusts' systems were down National and local NHS staff had to work overtime including over the weekend of 13-14 May to resolve problems and to prevent a fresh wave of organisations being affected by WannaCry on Monday 15 May The recovery 1 13 In line with its established procedures for responding to a major incident NHS England focused its initial response on maintaining emergency care and within 24 hours began attending to primary care Since the attack occurred on a Friday it caused minimal disruption to primary care services which tend to be closed over the weekend Twenty-two of the 27 infected acute trusts continued treating urgent and emergency patients throughout the weekend However five trusts including Barts Health NHS Trust were unable to see some patients and had to divert them to other hospitals and a further two needed outside help to continue treating patients NHS England worked with trusts to ensure diverts were put in place and help provided By Tuesday 16 May only two hospitals were still diverting patients Lister Hospital in Hertfordshire and Broomfield Hospital in Essex NHS England 'stood down' the incident on Friday 19 May 1 14 The recovery was aided by the work of a cyber-security researcher who activated a kill-switch so that WannaCry stopped locking devices The researcher triggered the kill-switch on the evening of Friday 12 May This meant that some NHS organisations were infected by the WannaCry malware but because of the actions of the researcher they were not locked out of their devices and systems Between 15 May and mid-September NHS Digital and NHS England identified a further 92 organisations including 21 trusts attempting to contact the WannaCry domain in addition to the initial 45 organisations they had identified as being infected Although some of these trusts may have contacted the WannaCry domain as part of their cyber-security activity 16 Part Two Investigation WannaCry cyber attack and the NHS Part Two Why some parts of the NHS were affected 2 1 NHS organisations across England were affected by the WannaCry attack Figure 3 sets out the location of the trusts affected and shows the o 37 trusts infected by the WannaCry malware and o 44 trusts not infected by the malware but reporting disruption 2 2 Of the 37 trusts infected 32 were located in the North NHS region and the Midlands and East NHS region NHS England believes more organisations were infected in these regions because they were hit early on 12 May before the WannaCry kill-switch was activated Failure to patch and update systems and reliance on old software 2 3 It is not possible to eliminate all cyber threats but organisations can prevent harm through good cyber-security Such practice includes maintaining up-to-date firewalls and anti-virus software and applying patches updates in a timely manner NHS England's view is that WannaCry infected some parts of the NHS mainly because organisations had failed to maintain good cyber-security practices 2 4 NHS Digital told us that all the infected trusts had a common vulnerability in their Windows operating systems which was exploited by the WannaCry attack All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems However whether organisations had patched their systems or not taking action to manage their firewalls facing the internet would have guarded the organisations against infection Investigation WannaCry cyber attack and the NHS Part Two 17 Figure3showsDisruptiontofront-lineservicesaffectedallpartsofthecountrybutwasconcentratedintheNorthNHSregionandtheMidlandsandEastNHSregion Figure 3 Trusts affected by the cyber attack Disruption to front-line services affected all parts of the country but was concentrated in the North NHS region and the Midlands and East NHS region Acute trust infected Other trust infected Acute trust affected but not infected Other trust affected but not infected Note 1 NHS England believes the concentration of infected trusts in the North NHS region and the Midlands and East NHS region does not reflect variations in cyber-security but may be partially explained by these organisations becoming infected earlier in the day before the WannaCry 'kill-switch' was activated Source National Audit Office analysis of NHS England data 18 Part Two Investigation WannaCry cyber attack and the NHS 2 5 NHS Digital told us that the majority of NHS devices infected were unpatched but on the supported Windows 7 operating system Trusts using Windows 7 could have protected themselves against WannaCry by applying a patch or update issued by Microsoft in March 2017 and NHS Digital had issued CareCERT alerts on 17 March and 28 April asking trusts to apply the patch 2 According to the Department of Health the Department more than 90% of devices in the NHS use the Windows 7 operating system 2 6 A second issue was that some trusts were running the older Windows XP operating system on some devices This made the trusts vulnerable because Microsoft was no longer releasing patches for this operating system and so they could not protect their systems from WannaCry unless they isolated those devices from the network Some trusts also experienced issues with some medical equipment such as MRI scanners that have Windows XP embedded within them see paragraph 1 3 This equipment is generally managed by the system vendors and local trusts are not capable of applying updates themselves Support from the vendors of these devices was often poor according to NHS England and NHS Digital However trusts running Windows XP on their medical equipment could have protected themselves by isolating these devices from the rest of the network although this may necessitate manual workarounds In July 2017 as part of its response to the National Data Guardian review the Department told local bodies to ensure that they had moved away from or were actively managing unsupported software by April 2018 2 7 The Department and Cabinet Office had written to trusts in 2014 offering some temporary help with security for old equipment until April 2015 after which time there would be no support This meant that it was essential that all NHS organisations had robust plans to migrate away from Windows XP Despite this the Department told us about 5% of the NHS IT estate including computers and medical equipment was still using Windows XP on 12 May 2017 This is partly explained by the fact that it is not always possible to remove or update Windows XP in applications and IT services based on that operating system Immediately after the WannaCry attack Microsoft issued a patch for Windows XP that would prevent WannaCry and similar ransomware Leadership and size of trusts 2 8 We found no clear relationship between those trusts infected by WannaCry and the quality of their leadership as rated by the Care Quality Commission CQC Of the 37 trusts infected by WannaCry four 11% had been rated as 'inadequate' against the 'well-led' domain at their last CQC inspection compared with 7% of NHS organisations not infected 3 However CQC had not focused on how well led trusts were in relation to cyber-security in their inspections before 12 May 2017 We understand CQC has plans to enhance its line of questions regarding information and digital systems as part of its inspection of the leadership of trusts in the future 2 3 A CareCERT alert is an email sent by NHS Digital providing information or requiring action from NHS organisations Of the 37 trusts infected by WannaCry 36 had a CQC rating Investigation WannaCry cyber attack and the NHS Part Two 19 2 9 We also found that infected trusts tended to employ more staff than average Of the 37 infected trusts o 14 38% were among the 25% of trusts employing the most staff and o 26 70% employed more than the median number of staff Although there is limited evidence on why this should be the case we found that o some of the trusts we spoke to told us that integrating IT systems when trusts merge and become larger and running many different versions of Windows operating systems not all of which are supported can be a challenge and o WannaCry exploited weaknesses within parts of Microsoft's Windows operating system used to share files within organisations This meant it spread automatically in some cases and organisations with large Windows networks were among the worst affected Prepared for a cyber attack 2 10 Before 12 May the Department and its arm's-length bodies did not know whether trusts had complied with CareCERT alerts as no formal mechanism of assessment existed at that time On 12 May NHS Digital worked with NHS England to put in place a formal mechanism for assessing whether NHS organisations had complied with CareCERT alerts Emergency Preparedness Resilience and Response EPRR teams requested a positive return from providers by midnight on 12 May that for example where they had o not been subject to an attack they had implemented the patch and o been subject to an attack they had implemented remedial works had been able to roll back their systems and could continue to provide emergency services or - if not - had put mitigations in place 2 11 Before the WannaCry attack NHS Digital offered an on-site inspection to hospitals to assess their cyber-security known as 'CareCERT Assure' This inspection was voluntary By 12 May NHS Digital had inspected 88 out of 236 trusts and none had passed NHS Digital's review of the WannaCry attack concluded that CareCERT advice and guidance including inspections was mostly followed by organisations with relatively mature cyber-security arrangements while vulnerable trusts were not taking action to improve their security NHS Digital also found that in general trusts had not identified cyber-security as being a risk to patient outcomes and had tended to overestimate their readiness to manage a cyber attack NHS Digital believes this reflects a lack of understanding of the nature of cyber risk among trusts rather than a neglect of cyber-security 20 Part Two Investigation WannaCry cyber attack and the NHS 2 12 The Department and its arm's-length bodies did not hold information on how prepared local organisations were to respond to a cyber attack such as whether cyber-security appeared on organisations' risk registers or whether trusts complied with good practice The Department and its arm's-length bodies also had limited central information on trusts' IT and digital assets such as anti-virus software and IP addresses At the start of its investigation the National Crime Agency had to gather evidence from all sites including information on the devices affected IP addresses and network traffic to assess the impact of WannaCry on the NHS rather than being able to access the information centrally Investigation WannaCry cyber attack and the NHS Part Three 21 Part Three How the Department and the NHS responded Devolved responsibility for cyber-security 3 1 The Department of Health the Department has overall national responsibility for cyber-security resilience and responding to incidents in the health sector However the Department devolves responsibility for managing cyber-security to local organisations - NHS trusts GPs clinical commissioning groups and social care providers Regulators and other national bodies oversee and support local NHS organisations While NHS foundation trusts are directly accountable to Parliament for delivering healthcare services they are held to account by the same regulators as NHS trusts Roles and responsibilities for cyber-security as at September 2017 are set out in Figure 4 on pages 22 and 23 In particular o NHS Improvement holds trusts and NHS foundation trusts to account for delivering value for money and o the Care Quality Commission CQC regulates health and social care providers for safety and quality of their services 3 2 Both bodies can mandate local NHS organisations to improve their performance They also have a role in ensuring that local bodies have appropriate cyber-security arrangements but neither are primarily concerned with cyber or information technology issues NHS Digital provides guidance alerts and support to local organisations on cyber-security and can visit organisations to evaluate cyber-security arrangements if asked to do so as part of CareCERT Assure 4 However NHS Digital cannot mandate a local body to take remedial action even if it has concerns about the vulnerability of that organisation 4 Prior to the WannaCry attack NHS Digital offered an on-site inspection to hospitals to assess their cyber-security This was known as 'CareCERT Assure' and was voluntary NHS national bodies are currently revising this system 22 Part Three Investigation WannaCry cyber attack and the NHS Multiple intersecting links Figure Figure 44 Roles Roles and and responsibilities responsibilities for for cyber-security cyber-security in in the the NHS NHS as as at at September September 2017 2017 National National and and local local bodies bodies share share responsibility responsibility for for cyber-security cyber-security in in the the health health sector sector Cabinet CabinetOffice Officeleads leadson on non-mandatory non-mandatory policies policies and andprinciples principles although althoughall all departments departmentsand andbodies bodiesare are accountable accountableand andresponsible responsible for fortheir own their owncyber-security cyber-security Cabinet CabinetOffice Office GCHQ GCHQ National NationalCyber Cyber Security SecurityCentre Centre National NationalCrime Crime Agency Agency Home HomeOffice Office Key Keyguidance guidanceisispublished publishedby by the theNational NationalCyber CyberSecurity Security Centre Centre and andititisissupported supported by bythe theNational NationalCrime CrimeAgency Agency ininleading leadingthe theresponse response to tomajor majorcyber-security cyber-security incidents incidentsininthe theUK UK including including criminal investigations criminal investigations Department Departmentof ofHealth Health Lead Leadgovernment governmentDepartment Departmentand andleads leadsthe thehealth healthand andcare caresystem system including includingoverseeing overseeingcyber-security cyber-securityresilience resilienceand andincident incidentresponses responses Manages Managesthe theinterface interfacebetween betweenhealth healthand andsocial socialcare carewith withthe theCabinet CabinetOffice Office other othergovernment governmentdepartments departmentsand andagencies agencies During Duringaacyber cyberincident incidentcoordinates coordinatesbriefings briefingsto toministers ministersand andthe theNational NationalData DataGuardian Guardian Coordinates Coordinatesinvolvement involvementinincentral centralgovernment governmentresponses responsesto toincidents incidents Contributes Contributesto tocross-government cross-governmentbriefings briefingswhen whenresponding respondingto toaamajor majorincident incident including includingwhen whenaaCOBRA COBRAresponse responseisiscalled called Coordinates Coordinatespublic publiccommunications communicationsininagreement agreementwith withother otherorganisations organisations National NationalInformation InformationBoard Board NHS NHSEngland England NHS NHSDigital Digital Provides Providesleadership leadershipacross across the thehealth healthand andcare caresector sectoron on IT IT including includingsetting settingannual annual commissioning commissioningpriorities prioritiesfor for NHS NHSDigital Digitaland andturning turningthese these into intoan anagreed agreeddelivery deliveryplan plan Provides Providesinformation informationabout aboutcyber-security cyber-securityto commissioners to commissioners Works Workswith withlocal localhealthcare healthcareto to understand understandand andadvise adviseon ontheir their cyber-security requirements cyber-security requirements Works Workswith withclinical clinicalcommissioning commissioninggroups groups CCGs CCGs commissioning commissioningsupport supportunits unitsand andaudit auditchairs chairsat ataaleadership leadership level levelto tosupport supportboard boardownership ownershipof ofcyber-security cyber-securityand overall and overall response responsewhen whencyber cyberincidents incidentsoccur occur Responsible Responsiblefor forhelping helpingto toembed embedcyber-security cyber-securitystandards standards ininthe thehealth healthsector sector eg egthrough throughthe theNHS NHSStandard StandardContract Contract and andthrough throughthe theinclusion inclusionof ofrequirements requirementsfor forservices servicesitit commissions commissions such suchas asIT ITfor general for generalpractioners practioners National NationalData DataGuardian Guardian Provides Providesindependent independentadvice advice on ondata-sharing data-sharingand security and security Must Mustbe beinformed informedabout aboutall all cyber-security cyber-securityincidents incidentsat atthe the same sametime timeas asministers ministers Communicates Communicatesits itsrole roleininmanaging managing cyber-security cyber-securityand andincidents incidentsto toother other healthcare organisations healthcare organisations Maintains Maintainskey keyIT ITsystems systemsused usedby byhealthcare healthcare organisations organisations such suchas asN3 N3and andSPINE SPINE Responsible Responsiblefor forensuring ensuringCCGs CCGsand andproviders providers eg egtrusts trusts have have appropriate appropriateplans plansininplace placeto torespond respondto toan anincident incidentor oremergency emergency Provides Providesadvice adviceto tothe thehealth healthand andsocial social care caresystem systemabout abouthow howto toprotect protectagainst against or respond or respondto to aacyber incident cyber incident Lead Leadorganisation organisationwhen whenmajor majorincident incidentcalled called Coordinates Coordinatesthe the control controlof ofan anincident incidentthrough throughits itsEmergency EmergencyPreparedness Preparedness Resilience Resilienceand andResponse Response EPRR EPRR structures structureswhere whereappropriate appropriate Provides Providesadvice adviceand andsupport supportto tohealth health organisations organisationsduring duringaacyber cyberincident incident through through'CareCERT 'CareCERTReact' React' Communicates Communicatesto tothe thehealthcare healthcaresystem systemabout aboutthe thepractical practicaland and clinical clinicalsteps stepsto tobe taken be takenininresponse responseto toan anincident incidentwhen whenrequired required Works Worksto tounderstand understandand andrespond respondto to cyber cyberincidents incidentson onnational nationalsystems systemsor or on healthcare on healthcareIT ITnetworks networks Does Doesthis thisthrough throughdigital digitalteams teamsat atregional regionallevel level These Theseteams teams coordinate coordinatewith withNHS England's NHS England'scentral centralcyber cyberteam teamand andwith with NHS NHSDigital Digital Notifies Notifiesand andworks workswith withthe theNational NationalCyber Cyber Security SecurityCentre Centreto torespond respondto tocyber cyberincidents incidents 209 209 clinical clinical commissioning commissioning groups groups Responsible Responsible for for following following standards standards set set by by the the Department Department and and its its arm's-length arm's-length bodies bodies for for protecting protecting the the data data they they hold hold according to according to the the Data Data Protection Protection Act Act 1998 1998 and and for for having having arrangements arrangements inin place place to to respond respond to to an an incident incident or or emergency emergency under under the the Civil Contingencies Civil Contingencies Act Act 2004 2004 Other Other government government Health Health sector sector Source Source National NationalAudit AuditOffi Office ceanalysis analysisof ofDepartment Departmentof ofHealth Healthand andNHS NHSEngland Englanddata data Investigation WannaCry cyber attack and the NHS Part Three 23 Multiple intersecting links NHS NHSImprovement Improvement Care CareQuality QualityCommission Commission Communicates Communicatesinformation informationabout aboutcyber-security cyber-securityto totrusts trusts and other and otherhealthcare providers healthcare providers Assesses Assessesand andregulates regulatesthe safety the safety of patient care of patient care Works Workswith withtrusts trustsat ataaleadership leadershiplevel levelto tosupport supportboard board ownership ownershipof ofcyber-security cyber-securityand overall and overallresponse responseto to cyber incidents cyber incidents Assesses Assessesthe theadequacy adequacyof ofleadership leadership including includingininensuring ensuringdata datasecurity security Works Workswith withsenior seniorhealthcare healthcareleaders leadersto toensure ensurerecommended recommended actions actionsfor forcyber cyberresilience resilienceare areimplemented implemented and andacts actsas asan an escalation escalationpoint pointwhen whencyber incidents occur cyber incidents occur Takes Takesaccount accountof ofdata datasecurity securityininreaching reaching judgements judgementson onwell-led well-ledorganisations organisations Attains Attainsassurance assurancethat thatfollow-up follow-upactions actionsto toincrease increaseresilience resilience have havebeen beenimplemented implementedby byhealthcare healthcareproviders providers Considers Considersdata datasecurity securityduring duringits itsoversight oversightof oftrusts trusts through the through theSingle SingleOversight Framework Oversight Frameworkand andas aspart partof ofits its decision-making decision-makingon ontrusts trustswho whoare arein special in specialmeasures measures Works Workswith withNHS NHSEngland Englandto tocommunicate communicateto tothe thehealthcare healthcare system systemduring duringaacyber cyberincident incident ininparticular particularthrough throughthe the chief information chief informationofficer officer CIO CIO for forthe thehealth healthand andcare caresystem system who whoworks worksacross acrossNHS NHSImprovement Improvementand NHS England and NHS England 236 236NHS NHStrusts trustsand andNHS NHSfoundation foundationtrusts trusts Responsible Responsiblefor forfollowing followingstandards standardsset setby bythe theDepartment Departmentand andits itsarm's-length arm's-lengthbodies bodiesfor forprotecting protectingthe thedata datathey they hold holdaccording accordingto tothe theData DataProtection ProtectionAct Act1998 1998 and andfor forhaving havingarrangements arrangementsininplace placeto torespond respondto toan anincident incidentor or emergency emergency under underthe theCivil CivilContingencies ContingenciesAct Act2004 2004 24 Part Three Investigation WannaCry cyber attack and the NHS How the cyber attack was managed 3 3 Before the WannaCry attack the Department had developed a plan for responding to a cyber attack which included roles and responsibilities of national and local organisations However the Department had not tested the plan at a local level This meant the NHS was not clear what actions it should take when affected by WannaCry including how it should respond at a local level On 12 May 2017 NHS England determined that it should declare a national major incident and decided that it would lead the response coordinating with NHS Digital and NHS Improvement NHS England treated the attack as a major operational incident through its existing Emergency Preparedness Resilience and Response EPRR processes However as NHS England had not rehearsed its response to a cyber attack it faced a number of challenges The cyber attack was less visible than other types of incident and not confined to local areas or regions in the way a major transport accident would have been for example This meant that it took more time to determine the cause of the problem the scale of the problem and the number of people and organisations affected 3 4 Without clear guidelines on responding to a national cyber attack organisations reported the attack to different sources including the local police NHS England and NHS Digital For the same reason communications to patients and local organisations also came from a number of sources These included the National Cyber Security Centre which was providing support to all UK organisations affected by the attack NHS England and NHS Digital In addition the use of email for communication was limited although NHS Improvement did communicate with trusts' chief executive officers by telephone Affected trusts shut down IT systems including some trusts disconnecting from NHS email and the N3 network as a precautionary measure 5 The Department coordinated the response with the centre of government briefing ministers liaising with the National Cyber Security Centre and National Crime Agency and overseeing NHS England's and NHS Digital's operational response 3 5 Affected trusts were triaged through the EPRR route and where necessary received assistance from national bodies including advice and physical technical support from NHS Digital which sent 54 staff out to hospitals to provide direct support Staff at the Department NHS England NHS Improvement and NHS Digital as well as large numbers of staff in other organisations across the NHS worked through the weekend to resolve the problem and avoid further problems on Monday NHS England's IT team did not have on-call arrangements in place but staff came in voluntarily to help resolve the issue Front-line NHS staff adapted to communication challenges and shared information through personal mobile devices including using the encrypted WhatsApp application NHS national bodies and trusts told us that this worked well on the day although is not an official communication channel 5 N3 is the broadband network connecting all NHS sites in England Investigation WannaCry cyber attack and the NHS Part Three 25 The risk of a cyber attack had been identified before WannaCry 3 6 The Secretary of State for Health asked the National Data Guardian and CQC to undertake reviews of data security These reports were published in July 2016 and warned the Department about the cyber threat and the need for the Department to respond to it They noted the threat of cyber attacks not only put patient information at risk of loss or compromise but also jeopardised access to critical patient record systems by clinicians They recommended that all health and care organisations needed to provide evidence that they were taking action to improve cyber-security such as through the 'Cyber Essentials' scheme 6 3 7 Although WannaCry was the largest cyber-security incident to affect the NHS individual NHS organisations had been victims of other attacks in recent years Figure 5 overleaf WannaCry infected one of England's biggest trusts Barts Health NHS Trust This was the second cyber attack to affect the trust in six months A ransomware attack had also affected Northern Lincolnshire and Goole NHS Foundation Trust in October 2016 which had led to it cancelling 2 800 appointments Lessons learned 3 8 The NHS has accepted that there are lessons to learn from WannaCry and is already taking action The NHS has identified the need to improve the protection of services from future cyber attacks These include the need to o develop a response plan setting out what the NHS should do in the event of a cyber attack and establish the roles and responsibilities of local and national NHS bodies and the Department o ensure organisations implement critical CareCERT alerts including applying software patches and keeping anti-virus software up to date and identifying o ensure essential communications are getting through during an incident when systems are down and o ensure that organisations boards and their staff are taking the cyber threat seriously understand the direct risks to front-line services and are working proactively to maximise their resilience and minimise the impact on patient care 3 9 Following the WannaCry attack NHS England and NHS Improvement wrote to every trust clinical commissioning group and commissioning support unit asking boards to ensure that they had implemented all 39 CareCERT alerts issued by NHS Digital between March and May 2017 and had taken essential action to secure local firewalls 6 Cyber Essentials is a government-designed cyber-security certification scheme that sets out a baseline of cyber-security and can be used by any organisation in any sector see www cyberaware gov uk cyberessentials Source National Audit Office Lasted four days and affected more than 2 800 patients Trust resolved the issue liaising with external cyber-security company and police Cancelled appointments operations and diagnostic procedures High-risk women in labour had to be transferred to other hospitals Princess of Wales Hospital Scunthorpe General Hospital and Goole and District Hospital affected as well as United Lincolnshire Hospital NHS Trust due to shared IT access 2016 2016 - Royal Cornwall Hospitals NHS Trust had been infected by a cyber attack once before 2016 and was the subject of multiple unsuccessful attacks during 2016 At least 2000 current and former staff thought to have had details compromised Shut down file-sharing system to investigate the attack Initially reported to be ransomware but later concluded by the trust to be Trojan malware which was successfully contained Landauer was employed by the NHS to monitor radiation levels among staff 2017 12 May 2017 - Global WannaCry attack affects the NHS 28 February 2017 - Private files stolen from Landauer which has personal details of NHS staff 7 February 2017 ISIS-linked hackers display graphic images on NHS websites The Royal London St Bartholomew's Whipps Cross and Newham hospitals were affected 30 October 2016 - Variant of Globe2 ransomware attack on the Northern Lincolnshire and Goole NHS Foundation Trust 13 January 2017 - Barts Health NHS Trust one of the largest trusts in the NHS suffers cyber attack The NHS had experienced a number of cyber attacks prior to the WannaCry attack Figure 5 Cyber attacks on the NHS in 2016 and 2017 before 12 May 2017 Figure 5 shows that the NHS had experienced a number cyber attacks prior to the WannaCry attack 26 Part Three Investigation WannaCry cyber attack and the NHS Investigation WannaCry cyber attack and the NHS Part Three 27 3 10 NHS England and NHS Improvement are talking to every major trauma centre and ambulance trust and will reprioritise GBP21 million in capital funding from existing IT budgets to improve cyber-security in major trauma centres NHS Digital has built a new CareCERT Collect portal to provide assurance that trusts have implemented cyber alerts and to collect central data on IT and digital assets in the NHS Since 2015 the Department has made GBP50 million available to provide central support to the health and care system through the CareCERT suite of services 3 11 Following the WannaCry attack in July 2017 the Department published its response to the National Data Guardian and CQC recommendations The response built on existing work to strengthen cyber-security in the NHS involving the Department and its arm's-length bodies For example NHS Digital was developing its existing services to support local organisations including broadcasting alerts about cyber threats providing a hotline for dealing with incidents sharing best practice across the health system and carrying out on-site assessments to help protect against future cyber attacks and NHS England had embedded the 10 Data Security Standards recommended by the National Data Guardian in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats The Department also told us that a revised version of the Information Governance Toolkit is being developed for use in 2018-19 and that the inspection framework used by the CQC will be updated to incorporate the data standards 7 7 The Information Governance Toolkit draws together the legal rules and central guidance issued by the Department of Health and presents them in a single standard as a set of information governance requirements All health and social care providers commissioners and suppliers are required to carry out self-assessments of their compliance against these requirements The Toolkit is commissioned by the Department and is maintained by NHS Digital See www igt hscic gov uk 28 Appendix One Investigation WannaCry cyber attack and the NHS Appendix One Our investigative approach Scope 1 We conducted an investigation into the WannaCry cyber attack that affected the NHS in England on 12 May 2017 We investigated o the WannaCry attack's impact on the NHS and its patients o why some parts of the NHS were affected and o how the Department NHS national bodies NHS England NHS Digital and NHS Improvement and other national bodies such as the National Cyber Security Centre and National Crime Agency responded to the incident Methods 2 In examining the issues in paragraph one we drew on a variety of evidence sources 3 We conducted semi-structured interviews with officials from o Department of Health o NHS England o NHS Digital o NHS Improvement o Care Quality Commission o National Cyber Security Centre o National Crime Agency o Cabinet Office Investigation WannaCry cyber attack and the NHS Appendix One 29 4 We visited four local trusts to examine their roles and responsibilities in relation to cyber-security the impact of WannaCry on the trust and its patients and how the trust responded to the incident o Barts Health NHS Trust o Bedford Hospital NHS Trust o Northern Lincolnshire and Goole NHS Foundation Trust and o the Royal Marsden NHS Foundation Trust 5 We reviewed documents relating to the WannaCry ransomware attack including documents setting out roles and responsibilities for cyber-security in the NHS and across the wider public sector We also reviewed published and unpublished research and reports relating to the NHS and WannaCry and cyber-security more generally 6 We carried out analysis of data provided by NHS England NHS Digital and the Care Quality Commission 30 Appendix Two Investigation WannaCry cyber attack and the NHS Appendix Two Trusts infected or disrupted by WannaCry Figure 6 Trusts infected or affected by the WannaCry attack Trusts infected by WannaCry and locked out of devices Barts Health NHS Trust Lancashire Care NHS Foundation Trust Birmingham Community Healthcare NHS Foundation Trust Lancashire Teaching Hospital NHS Trust Blackpool Teaching Hospitals NHS Foundation Trust Bradford District Care NHS Foundation Trust Bridgewater Community Healthcare NHS Foundation Trust Central Manchester University Hospitals NHS Foundation Trust Colchester Hospital University NHS Foundation Trust Mid Essex Hospital Services NHS Trust Norfolk and Norwich University Hospital NHS Foundation Trust North Cumbria University Hospitals NHS Trust Northern Lincolnshire and Goole NHS Foundation Trust Northumbria Healthcare NHS Foundation Trust Nottinghamshire Healthcare NHS Foundation Trust Plymouth Hospitals NHS Trust Cumbria Partnership NHS Foundation Trust Royal Berkshire Hospital NHS Foundation Trust East and North Hertfordshire NHS Trust Salford Royal NHS Foundation Trust East Cheshire NHS Trust Shrewsbury and Telford Hospital NHS Trust East Lancashire Teaching Hospitals NHS Trust Solent NHS Trust Essex Partnership University NHS Foundation Trust Southport and Ormskirk Hospital NHS Trust George Eliot Hospital NHS Trust The Dudley Group NHS Foundation Trust Greater Manchester Mental Health NHS Foundation Trust United Lincolnshire Hospitals NHS Trust Hampshire Hospitals NHS Foundation Trust Hull and East Yorkshire Hospitals NHS Trust Humber NHS Foundation Trust James Paget University Hospitals NHS Foundation Trust Source NHS England Figure 6 shows Trusts infected or affected by the WannaCry attack University Hospitals of Morecambe Bay NHS Foundation Trust Wrightington Wigan and Leigh NHS Foundation Trust York Teaching Hospitals NHS Foundation Trust Investigation WannaCry cyber attack and the NHS Appendix Two 31 Trusts not infected by WannaCry but known to have experienced disruption Airedale NHS Foundation Trust Leicestershire Partnership NHS Trust Ashford and St Peters Hospitals NHS Foundation Trust Lincolnshire Community Health Services NHS Trust Barking Havering and Redbridge University Hospitals NHS Trust Barnsley Hospital NHS Foundation Trust Bedford Hospital NHS Trust Bradford Teaching Hospitals NHS Foundation Trust Brighton and Sussex University Hospitals NHS Trust Buckinghamshire Healthcare NHS Foundation Trust Calderdale and Huddersfield NHS Foundation Trust Central London Community Healthcare NHS Trust Chelsea and Westminster Hospital NHS Foundation Trust Doncaster and Bassetlaw Hospitals NHS Foundation Trust Dorset Healthcare NHS Foundation Trust East Kent Hospitals University NHS Foundation Trust Great Ormond Street Hospital NHS Foundation Trust Guy's and St Thomas' NHS Foundation Trust Harrogate and District NHS Foundation Trust Kettering General Hospital NHS Foundation Trust Kingston Hospital NHS Trust Leeds and York Partnership NHS Foundation Trust Leeds Community Healthcare NHS Trust Leeds Teaching Hospitals NHS Trust Source NHS England Lincolnshire Partnership NHS Trust London North West Healthcare NHS Trust Luton and Dunstable NHS Trust Mid Yorkshire Hospitals NHS Trust Moorfields Eye Hospital NHS Foundation Trust North West Ambulance Service NHS Trust Northampton General Hospital NHS Trust Northamptonshire Healthcare NHS Foundation Trust Rotherham Doncaster and South Humber NHS Foundation Trust Sheffield Children's NHS Foundation Trust Sheffield Health and Social Care NHS Foundation Trust Sheffield Teaching Hospitals NHS Foundation Trust South West Yorkshire Partnership NHS Foundation Trust South Western Ambulance Service NHS Foundation Trust Sussex Community NHS Foundation Trust The Rotherham NHS Foundation Trust University Hospitals of Leicester NHS Trust West Hertfordshire Hospitals NHS Trust West London Mental Health NHS Trust Yorkshire Ambulance Service NHS Trust This report has been printed on Evolution Digital Satin and contains material sourced from responsibly managed and sustainable forests certified in accordance with the FSC Forest Stewardship Council The wood pulp is totally recyclable and acid-free Our printers also have full ISO 14001 environmental accreditation which ensures that they have effective procedures in place to manage waste and practices that may affect the environment GBP10 00 ISBN 978-1-78604-147-0 Design and Production by NAO External Relations DP Ref 11594-001 9 781786 041470                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu