/ Insights / Computer says no: Three key lessons from the NHS cyber-attacks

Free thinking from Grayling people

Computer says no: Three key lessons from the NHS cyber-attacks

22nd May 2017

Rachel Ilett, Senior Account Executive, Grayling UK, analysis the crisis communications learnings from the WannaCry attacks.

On Friday 12 May, the NHS was hit by what Europol has called, ‘the largest ransomware attack observed in history.’ 47 NHS Trusts in England and 13 Scottish NHS Organisations were impacted by cyber-attacks, which saw ambulances diverted from A&E, cancer patients’ treatment delayed and major operations postponed.

The WannaCry attacks have since spread to 150 countries worldwide, affecting government agencies and companies including FedEx Corp, Telefonica, Germany’s rail operator, Deutsche Bahn and Russia’s Interior Ministry.

So what lessons can be learnt from the NHS cyber-attacks about communicating in a crisis?

1. Know your audience

Which stakeholders do you need to communicate with and how will you reach them? This will of course vary greatly depending on the company or organisation and, as such, there is no prescriptive advice. In the case of the NHS, a provider of vital public services, its most important stakeholders are obviously its patients. Given that any one of us could become a patient at any time and urgently require NHS care, in reality this means the general public, not just those currently with ‘patient’ status.

Statements from NHS Trusts and bodies outlining advice for patients were quoted in web stories on the likes of, a site which has millions of visitors every month. During radio interviews with BBC’s Today Programme and BBC Radio 5 Live Breakfast, NHS Providers Chief Executive, Chris Hopson, also signposted the public to websites where they could get the latest information on NHS services. While many of the NHS bodies are using digital platforms to communicate updates, a multimedia approach ensures that older demographics are reached too.

2. Highlight the positives

In a crisis, a robust communications response should be tuned in to the media landscape, taking stock of critique from stakeholders and journalists. It should acknowledge that some of the challenges presented by the crisis cannot be mitigated in the short-term and instead focus on emphasising the positive aspects of the situation. The NHS has faced a barrage of negative attention in the days following the crisis breaking. This included criticism that, counter to advice, several NHS Trusts were using the outdated Windows XP system or had not downloaded patches that would protect them from malicious software.

Unable to confirm details of why the NHS was hit or indeed accept culpability before a complete investigation, the NHS and government communications have instead focused on highlighting the positive – namely that patient data protection wasn’t breached at any point, that 80% of Trusts were entirely unaffected by the attacks, and that more than 95% of services were back up and running within 24 hours.

3. The importance of timing

In the days immediately following the crisis, senior NHS spokespeople made statements to the media. NHS England’s Incidents Director, Dr Anne Rainsberry, gave a short and reassuring video statement to The Telegraph, informing the public that the NHS was putting ‘well tested plans’ for a cyber security incident into action and giving clear advice to patients about services. News on which Trusts and hospitals were affected was also quickly disseminated, and individual hospitals put out information on the status of their services via social and online channels. The lesson? A swift reaction to a crisis gives the strong impression that you are in control and are taking it seriously.

Concurrently, exaggerating your handle on the issue or claiming the storm has passed before being certain could also leave you open to further criticism. The crisis could evolve in ways you hadn’t anticipated and accepting that it may take time to restore confidence is a safer bet. On the Saturday, the day after the crisis broke, the National Cyber Security Centre advised that more ransomware cases were likely to appear on Monday. On Monday, it was announced that, in fact, a ‘second spike’ had not hit and that two thirds of NHS trusts were fully operational. This measured approach gave an impression that the NHS’ control of the issue was steadily improving.


Companies using leading edge technology and with greater resources to fall back on than the NHS have been disrupted by the ransomware attacks. Given the life or death nature of its operations, the potential damage posed by an all-out crisis in the NHS is unsurpassed by almost any other organisation or company. Yet in the five days since the crisis broke, NHS communications have successfully prevented a full blown crisis by disseminating important information to key stakeholders and have been central to the perception of restoring control.

Grayling Team

Latest Insights

19th June 2019

Four Storytelling Lessons from Melinda Gates

Grayling account director, Niveen Saleh sifts Melinda Gates’s recent media appearance for tips. Melinda Gates, philanthropist and woman in tech, recently appeared on Netflix’s My Next Guest...

Read More

14th June 2019

Is Google's Algorithm Biased?

There’s no denying the impact Google Search has on perception. Every day billions of people trust its algorithm to deliver the best content from across the web for any given subject. That’s a...

Read More

9th June 2019

How to write a PR brief

Looking for a new PR agency? Grayling’s West Coast Lead and Global Head of Strategic Services, Jon Meakin offers some tips on what to include in the ideal brief. After more than 25 years in the...

Read More