Public sector case study: UK NHS WannaCry cyber-attack

Day to day my job as head of resilience and patient flow is to prepare our organisation to face those threats and incidents which might challenge the services So, about lunchtime on the Friday we became alerted to what we then suspected and subsequently did know was a cyberattack attacking the networks. At that point we didn’t know that was called WannaCry. However our IT teams were confident that it definitely was a cybersecurity attack and therefore we needed to implement measures to protect the IT infrastructure in the organisation. In terms of precursor signs there were none. We have routine firewall systems that are looking for signs of attack. Our IT systems constantly monitor the health of the network.

But in terms of this particular circumstance the first thing we knew was that it happened. And that was the nature of what we were facing was a day zero attack that we couldn’t have foreseen but was very rapidly developing and requiring us to respond. And if I use the analogy of the flu vaccine we try to prepare a vaccine every year that we think are the types of strains that might happen that year and quite often we’re successful. In this particular case the level of protection wrapping around our IT system was not prepared because nobody had ever seen it before.

The key impacts that we faced at the time and like many other NHS organisations is that technology is becoming more and more prevalent through the delivery of healthcare. Everything from the front door when you check into the hospital through to your x-rays, your bloods, your notes, your pharmacy records; everything is electronic. Take that away from the care organisation and you are faced with a very difficult situation and potentially that has a serious consequence on the care that we can deliver to those patients.

Inside the hospital electronic patient records become invisible and therefore being able to know what care we have to give you are defaulting to paper systems which people aren’t familiar with because on a day-by-day basis that’s not their routine. Nevertheless no patient came to any harm. We seamlessly transitioned from electronic to paper. We quickly set up IT teams to respond internally and no patient ever saw a difference in the level of care that they received for the duration of the incident.