Report published 18 April 2018. Government response published 28 June 2018.
Report and response published
Scope of the inquiry
On Friday 12 May 2017 the NHS in England was attacked using the WannaCry virus. WannaCry is a ransomware that encrypts data and demands money to be able to access it again.
According to a National Audit Office investigation, the attack disrupted at least 34% of trusts in England. 37 trusts were locked out of devices, whilst a further 44 were not infected but experienced disruption (for example, shutting down their email systems as a precaution). A further 603 NHS organisations were infected, including 595 GP practices.
This resulted in the cancellation of 6,912 appointments and operations, and in five areas patients had to travel further to access A&E services.
The NHS had developed a cyber-attack action plan, but it had not been tested at a local level, and the NHS had not rehearsed for the eventuality of an attack. This led to communication problems between national and local NHS bodies. The NAO concluded that more disruption could have occurred without the intervention of a cyber-researcher who discovered a ‘kill-switch’.
The NHS followed its major incident priority of focusing on emergency care. 22 out of 27 acute trusts could continue treating emergency patients, but five had to redirect parents and two needed outside assistance.
In its ‘lessons learned’ work, NHS Digital concluded that all affected organisations had been using unsupported or unpatched operating software that could have been easily protected by better firewall management. The NHS is already acting, including developing a better response plan for cyber-incidents, and ensuring communications systems can continue to function safely.
The Committee will take evidence from the Department of Health, NHS England, NHS Improvement and NHS Digital about their response to the attack, and how they are protecting against further attacks in future.