/ Insights / Computer says no: Three key lessons from the NHS cyber-attacks

Free thinking from Grayling people

Computer says no: Three key lessons from the NHS cyber-attacks

22nd May 2017

Rachel Ilett, Senior Account Executive, Grayling UK, analysis the crisis communications learnings from the WannaCry attacks.

On Friday 12 May, the NHS was hit by what Europol has called, ‘the largest ransomware attack observed in history.’ 47 NHS Trusts in England and 13 Scottish NHS Organisations were impacted by cyber-attacks, which saw ambulances diverted from A&E, cancer patients’ treatment delayed and major operations postponed.

The WannaCry attacks have since spread to 150 countries worldwide, affecting government agencies and companies including FedEx Corp, Telefonica, Germany’s rail operator, Deutsche Bahn and Russia’s Interior Ministry.

So what lessons can be learnt from the NHS cyber-attacks about communicating in a crisis?

1. Know your audience

Which stakeholders do you need to communicate with and how will you reach them? This will of course vary greatly depending on the company or organisation and, as such, there is no prescriptive advice. In the case of the NHS, a provider of vital public services, its most important stakeholders are obviously its patients. Given that any one of us could become a patient at any time and urgently require NHS care, in reality this means the general public, not just those currently with ‘patient’ status.

Statements from NHS Trusts and bodies outlining advice for patients were quoted in web stories on the likes of, a site which has millions of visitors every month. During radio interviews with BBC’s Today Programme and BBC Radio 5 Live Breakfast, NHS Providers Chief Executive, Chris Hopson, also signposted the public to websites where they could get the latest information on NHS services. While many of the NHS bodies are using digital platforms to communicate updates, a multimedia approach ensures that older demographics are reached too.

2. Highlight the positives

In a crisis, a robust communications response should be tuned in to the media landscape, taking stock of critique from stakeholders and journalists. It should acknowledge that some of the challenges presented by the crisis cannot be mitigated in the short-term and instead focus on emphasising the positive aspects of the situation. The NHS has faced a barrage of negative attention in the days following the crisis breaking. This included criticism that, counter to advice, several NHS Trusts were using the outdated Windows XP system or had not downloaded patches that would protect them from malicious software.

Unable to confirm details of why the NHS was hit or indeed accept culpability before a complete investigation, the NHS and government communications have instead focused on highlighting the positive – namely that patient data protection wasn’t breached at any point, that 80% of Trusts were entirely unaffected by the attacks, and that more than 95% of services were back up and running within 24 hours.

3. The importance of timing

In the days immediately following the crisis, senior NHS spokespeople made statements to the media. NHS England’s Incidents Director, Dr Anne Rainsberry, gave a short and reassuring video statement to The Telegraph, informing the public that the NHS was putting ‘well tested plans’ for a cyber security incident into action and giving clear advice to patients about services. News on which Trusts and hospitals were affected was also quickly disseminated, and individual hospitals put out information on the status of their services via social and online channels. The lesson? A swift reaction to a crisis gives the strong impression that you are in control and are taking it seriously.

Concurrently, exaggerating your handle on the issue or claiming the storm has passed before being certain could also leave you open to further criticism. The crisis could evolve in ways you hadn’t anticipated and accepting that it may take time to restore confidence is a safer bet. On the Saturday, the day after the crisis broke, the National Cyber Security Centre advised that more ransomware cases were likely to appear on Monday. On Monday, it was announced that, in fact, a ‘second spike’ had not hit and that two thirds of NHS trusts were fully operational. This measured approach gave an impression that the NHS’ control of the issue was steadily improving.


Companies using leading edge technology and with greater resources to fall back on than the NHS have been disrupted by the ransomware attacks. Given the life or death nature of its operations, the potential damage posed by an all-out crisis in the NHS is unsurpassed by almost any other organisation or company. Yet in the five days since the crisis broke, NHS communications have successfully prevented a full blown crisis by disseminating important information to key stakeholders and have been central to the perception of restoring control.

Grayling Team

Latest Insights

15th November 2016

Is This Real Time?

Will Kunkel, Executive Vice President for Creative and Content in Grayling New York, on the final of our #7for17 trends, Live and Uncut‘Timing is everything’ has been a favorite line to many but...

Read More

8th November 2016

One Small Step for a Brand…

Danica Ross, Grayling San Francisco US Executive Vice President, on how brands can guide themselves through the ‘the new space race’ – part of our #7for17 trends series.In an era where brands...

Read More

3rd November 2016

Strange Bedfellows, or Pragmatic Policy-Making?

Russell Patten, Chair of Grayling’s European Public Affairs practice, looks at one of the major political trends as part of our #7for17 series. It’s been a turbulent year in politics, with the...

Read More