NHS England business continuity management toolkit case study: WannaCry attack

Organisation: County Durham and Darlington NHS Foundation Trust (CDDFT)
Incident: WannaCry Attack – 12 May 2017

What happened

The WannaCry ransomware attack was a worldwide cyber-attack which took place in May 2017. The cyber-attack targeted PCs running Windows. The attackers encrypted data and demanded a ransom, if this was not paid the group threatened to release data/information. Microsoft were made aware of a potential attack 12 months prior to the attack and released a security patch to be installed on all electronic devices that ran Windows.

Organisations that did not install the patch when advised to do so by Microsoft then became the target. 200,000 PCs were infected across 156 countries as a result of the WannaCry ransomware attack.

County Durham and Darlington NHS Foundation Trust (CDDFT) did not suffer from a direct attack, however:

The ambulance service protected their network by closing access to their network, with the main impact being:

  • Ambulance handover process and screens disabled
  • Patient Transport Service booking portal not available.

Tertiary centres protected their network by closing access to their network, main impact being:

  • We could not transfer CT/MR scans
  • We could not access Chemo Care meaning we could not transfer Chemo orders to our

Primary care IT provider protected their network by closing access to their network, main impact being

  • Automated transfer of blood results failed.
  • Certain GPs couldn’t access their case load.

Action taken

Ambulance service

  • Handover process: Pre alerts continued to be communicated by landline and
    ambulances arrived without warning however pins communicated via airwaves
  • Patient Transport Service: Business Continuity Plan invoked, and bookings made via

Tertiary centres

  • Transferred images onto DVD and sent by taxi
  • Chemo orders reverted to paper and faxed.

Primary care

  • Transfer of blood result reverted to paper however slowed the whole process down
  • Some GPs were able to access their caseload by accessing System One via our
    Urgent Treatment Centres.

Lessons identified

A number of lessons were identified and Business Continuity Plans (BCPs) updated:

Ambulance service

  • No system wide fix agreed. CDDFT BCP updated to reflect pins would be
    communicated by paramedics airwaves
  • Patient Transport Service: BCP updated to include direct dial numbers to make
    booking either via landline or mobile.

Tertiary centres

  • Secondary DVD purchased and CDDFT BCP updated to reflect the transfer of images
    via DVD
  • Chemo Care now has a BCP detailing actions to be taken in the event of Cyber Attack.

Primary care

  • Pathology BCP updated to incorporate actions to be taken in the event of a Cyber
  • Primary Care BCPs updated to incorporate the process of accessing their case load
    via a Trust Urgent Treatment Centre.

To minimise the impact on the health economy, it is imperative that NHS organisations understand their interdependencies and then work to dovetail their Business Continuity Plans for shared services.