NHS Digital stopped short of advising health organisations in England not to cough up for the WannaCrypt ransom attack because it couldn't be certain that all hospitals had backed up patient records.
Dan Taylor, head of security at NHS Digital, told thousands of NHS organisations everything about the attack – except explicitly not to pay the ransom.
"We support organisations in cyber, but we can't mandate what organisations do," he said at a WSJ Pro Cybersecurity event in London titled How Executives Can Manage the Risks.
"They are all individual businesses and if I am being honest there may be some organisations that have corrupted backups... or don't have backups.
"No NHS organisation paid, as there was no need to. But if you are an organisation with no way of backing up and are on your knees, you will need to make a risk-based decision of whether to pay or not."
The global cyber attack began on Friday, 12 May, affecting more than 200,000 organisations in 150 countries. In the UK it hit 47 NHS trusts as well as GP practices, resulting in operations being cancelled and patients being turned away from A&E. However, a total of just $50,000 (£38,000) was paid.
NHS Digital became aware of the attack on Friday morning. "However, what we started to see very quickly was a domino effect. We could see the attack was different in the way it was happening and within the first 90 minutes, we knew it was much wider than the NHS," said Taylor.
"It was not the best day," deadpanned Taylor, who has been head of security at NHS Digital since February 2015. But he said it was something the body was braced for as the NHS blocks tens of millions of infection attempts across the NHS every month. "We are being targeted but not directly attacked."
He said: "Actually it wasn't the worst thing that could have happened to us... the lessons learned from it will make us better in the future."
Taylor said organisations need to take a "defence in depth" approach to information assurance, putting multiple layers of security controls in place.
He said there were organisations within the NHS that were running unpatched versions of Windows XP but did not get a single infection because their machines were safe behind their network.
The knee-jerk decision by some organisations to cut themselves off the NHS network and mail completely posed a challenge for NHS Digital in being able to communicate with them during the attack.
"We need to help them back a risk-based decision," he said. "The feedback was that they did it because they thought it was the right thing to do, but on reflection it probably wasn't." ®