2 Although some of these trusts may have contacted the WannaCry domain as part

2 Although some of these trusts may have contacted the WannaCry domain as part of their cyber-security activity. 2 NHS England initially identified 45 organisations as being infected, but three of these were mistakenly identified as being infected and later re-categorised as not being infected but experiencing disruption.

16 Part Two Investigation: WannaCry cyber attack and the NHS Part Two Why some parts of the NHS were affected 2.1 NHS organisations across England were affected by the WannaCry attack. Figure 3 sets out the location of the trusts affected and shows the: • 34 trusts infected by the WannaCry malware; and • 46 trusts not infected by the malware but reporting disruption. 2.2 Of the 34 trusts infected, 29 were located in the North NHS region and the Midlands and East NHS region. NHS England believes more organisations were infected in these regions because they were hit early on 12 May before the WannaCry kill-switch was activated. Failure to patch and update systems and reliance on old software 2.3 It is not possible to eliminate all cyber threats but organisations can prevent harm through good cyber-security. Such practice includes maintaining up-to-date firewalls and anti-virus software, and applying patches (updates) in a timely manner. NHS England’s view is that WannaCry infected some parts of the NHS mainly because organisations had failed to maintain good cyber-security practices. 2.4 NHS Digital told us that all the infected trusts had a common vulnerability in their Windows operating systems which was exploited by the WannaCry attack. All NHS organisations infected by WannaCry had unpatched, or unsupported, Windows operating systems. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded the organisations against infection.

Investigation: WannaCry cyber attack and the NHS Part Two 17 Figure 3 shows Disruption to front-line services affected all parts of the country but was concentrated Figure 3 Trusts affected by the cyber attack Disruption to front-line services affected all parts of the country but was concentrated in the North NHS region and the Midlands and East NHS region Note 1 NHS England believes the concentration of infected trusts in the North NHS region and the Midlands and East NHS region does not refl ect variations in cyber-security, but may be partially explained by these organisations becoming infected earlier in the day, before the WannaCry ‘kill-switch’ was activated. Source: National Audit Offi ce analysis of NHS England data Acute trust infected Other trust infected Acute trust affected, but not infected Other trust affected, but not infected

18 Part Two Investigation: WannaCry cyber attack and the NHS 2.5 NHS Digital told us that the majority of NHS devices infected were unpatched but on the supported Windows 7 operating system. Trusts using Windows 7 could have protected themselves against WannaCry by applying a patch (or update) issued by