A year ago on Saturday, services across the NHS were forced to close when a computer virus began encrypting files and demanding users pay a ransom in bitcoin before being able to use the machines.
Patients were turned away from hospitals, operations were delayed and cancelled, and amid the confusion the government even held an emergency COBRA meeting to address the crisis.
In the end, it wasn’t any of the talented computer scientists working at the National Cyber Security Centre who stopped the WannaCry malware, but a 22-year-old security researcher who accidentally discovered a kill switch domain in the code of the virus, drastically slowing its spread.
But by that time the damage had been done. Out of 236 NHS trusts across England, 80 were hit by the ransomware. Another 603 organisations, including 595 GP surgeries, were infected. Almost 20,000 hospital appointments and operations were cancelled, while five A&E departments were forced to divert patients to other hospitals.
Dan Taylor, who heads the NHS cyber security programme, told Sky News: “The impact was quite small [in context].”
He said this not to underplay those cancellations, but noting that “as a dress rehearsal – as a ‘lesson learned’ – it was good”, adding: “It raised awareness of how cyber security can actually impact patient-facing services.”
“One thing that has changed is public awareness of cyber security in general,” Darian Huss, a researcher at Proofpoint who was among the many contributing the public analysis of the WannaCry code, agreed to Sky News.
Proofpoint’s Rob Holmes said: “When your mum asks you to explain ransomware, you know it’s gone mainstream.”
Awareness of cyber attacks now has board-level attention, said Mr Holmes, noting that the NHS is investing millions of pounds in upgrading its software to be more resilient against these kinds of attacks in the future.
“From my perspective, lots has changed,” he added, “WannaCry has brought an awareness and an urgency to cyber security.
“In retrospect, WannaCry has almost certainly acted as a catalyst for improvement,” said Don Smith, the technology director at Secureworks.
However, there is still “a long way to go” to improve NHS cyber security, according to MPs on the public accounts committee of parliament.
According to their report, the attack could have had an even more serious impact on the NHS if it had not happened in the summer, or on a Friday, or had the kill switch not been discovered so soon.
Mr Smith noted that the many organisations around the world, including the NHS, have responded proactively since last May.
“The NHS, for example, has now taken the decision to upgrade all of its systems to Windows 10, which will definitely improve their overall security posture.
“This reflects one of the criticisms of the [National Audit Office] report into the WannaCry incident [published last November]. Interestingly that report doesn’t really ask why the NHS was so disproportionately affected across all of its organisations compared to other enterprises.
“This wasn’t a targeted attack at the NHS after all, so why did the worm spread so widely within the NHS?”
The NAO report in November declared that the NHS and the Department of Health need to “get their act together” or risk more damaging cyber attacks on their computer systems, after an independent investigation into the incident.
Sir Amyas Morse, the head of the NAO, said: “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients.
“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.
“There are more sophisticated cyber threats out there than WannaCry so the Department [of Health] and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
Mr Taylor, who heads data security at NHS Digital, told Sky News that he had no doubt that health services would be severely impacted by cyber security incidents in the future – comparing his job to that of a doctor.
It may not be possible to prevent infection and injury both in healthcare and in cyber security, but expecting them and having the proper processes in place to respond was vital.
He said: “Things will go wrong, and when they do go wrong, actually you need the right systems, processes and people in place to actually limit that.
“We don’t know what the worst case scenario could be.
“For too long we’ve been too timid, where actually if we said, do you know what, in future we’re going to lose a battle along the way, a hospital may have to close its doors.
“I think if we have that honest conversation now, we’re much likely better to prepare ourselves for that eventuality.”