Intended for healthcare professionals


WannaCry—a year on

BMJ 2018; 361 doi: (Published 04 June 2018) Cite this as: BMJ 2018;361:k2381
  1. Guy Martin, clinical research fellow1,
  2. Saira Ghafur, senior policy fellow1,
  3. James Kinross, senior clinical lecturer1,
  4. Chris Hankin, professor2,
  5. Ara Darzi, professor1
  1. 1Institute of Global Health Innovation, Imperial College London, UK
  2. 2Institute for Security Science and Technology, Imperial College London, UK
  1. Correspondence to: G Martin guy.martin{at}

Investment is important, but a culture change is crucial

The disruption from last year’s WannaCry malware attack affected 60 NHS trusts, 595 general practices, and thousands of patients.1 The costs of the cybersecurity incident are not known. Worryingly, all 200 NHS hospitals inspected by the Care Quality Commission since the attack have fallen short of the UK government’s Cyber Essentials Plus certification, a basic set of minimum organisational security standards.23

This sobering finding not only highlights the poor security and resilience in the NHS but also suggests that little real progress has been made in the past year. As we continue to rely evermore on technology, effective cybersecurity should be a fundamental part of the healthcare culture. Any breach, loss, or corruption of patient data can paralyse a hospital, harm individuals, and erode patients’ trust in healthcare systems that are regularly under threat as they are a rich source of data and present a soft target.45 The sophistication of cyberattacks continues to evolve, from amateur hackers or accidental compromise to complex state sponsored attacks. The risk is greater than ever.

Effect on patients

WannaCry was not targeted at the NHS but is now viewed as a warning shot. At a …

View Full Text

Log in

Log in through your institution


* For online subscription