NHS didn't know how to respond to WannaCry, claims National Audit Office in official investigation into the ransomware outbreak

Healthcare staff had to use WhatsApp on mobile phones as NHS IT, including email, went down

The National Health Service "was not clear what actions it should take when affected by WannaCry", claims the National Audit Office (NAO) in its official report into the ransomware outbreak in the NHS.

"The Department [of Health] had developed a plan, which included roles and responsibilities of national and local roganisations for responding to an attack, but had not tested the place at local level," the NAO adds.

As a result, there was confusion from top to bottom over how to respond to WannaCry when it ripped through the NHS on Friday 12 May this year.

According to the NAO, the NHS had not rehearsed a response to a national cyber attack and "there were [also] problems with communications".

Communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down

While some NHS trusts had been reporting IT problems since late morning, it was only at 4pm that NHS England declared the cyber attack a "major incident" and only initiated its existing ‘Emergency, Preparedness, Resilience and Response' plans to act as the single point of coordination for incident management, supported by NHS Digital and another central organisation, NHS Improvement.

"In the absence of clear guidelines on responding to a national cyber attack, local organisations reported the attack to different organisations within and outside the health sector, including local police," claims the NAO.

It continues: "Communication was difficult in the early stages of the attack as many local organisations could not communicate with national NHS bodies by email as they had been infected by WannaCry or had shut down their email systems as a precaution, although NHS Improvement did communicate with trusts' chief executive officers by telephone.

"Locally, NHS staff shared information through personal mobile devices, including using the encrypted WhatsApp application. Although not an official communication channel, national bodies and trusts told us it worked well during this incident," reports the NAO.

NHS England, meanwhile, focused initially on maintaining emergency care, a task made easier by the fact that the ransomware struck on Friday afternoon, meaning minimal disruption to primary care services, which are largely closed on weekends.

The NAO also acknowledged the role played by Marcus Hutchins, the security researcher who stopped the ransomware in its tracks by registering a domain name used by the malware to check whether it was being examined in a sandbox.

Hutchins, however, was arrested in the US just weeks later when he tried to board a flight back to the UK from Las Vegas. The FBI claims he was behind a number of alleged computer crime offences perpetrated as a young teen hacker several years ago.