The content of this website is intended for healthcare professionals only

Alarming delays in implementing WannaCry lessons, say MPs

Lack of funding is hampering progress on necessary upgrades and changes to NHS cybersecurity

Louise Prime

Wednesday, 18 April 2018

MPs have criticised the alarming delays in making plans to implement cybersecurity lessons learned from last year’s WannaCry attack on NHS systems. The Public Accounts Committee (PAC) warned that another attack is inevitable, and that the NHS and government still have a lot of work to do to improve cybersecurity. NHS Providers said trusts have taken steps to ensure that they are applying software patches and keeping anti-virus software up to date, but progress is being hampered by lack of capital funding for upgrades and changes.

PAC pointed out in its report, published this morning, that in fact the NHS was ‘lucky’ – disruption from the WannaCry ransomware attack on 12 May 2017, which led to almost 20,000 appointments and operations being cancelled, could have been much worse had it not occurred on a Friday afternoon in the summer, and had the kill switch to stop the virus spreading not been found relatively quickly.

It noted that the Department of Health and Social Care and its arm’s-length bodies were unprepared for even the ‘relatively unsophisticated’ WannaCry; they had not shared and tested plans for responding to a cyberattack, nor had any trust passed a cybersecurity inspection. As a result, during the attack itself people across the NHS had to resort to using improvised and haphazard ways to communicate because they did not know how best to reach the Department or other NHS organisations.

PAC added that despite this ‘wake-up call for the NHS’, the DHSC is hindered in its ability to target its investment in cybersecurity because almost a year on the Department still does not know the extent of attack’s financial impact on the NHS. It warned: “Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber-security for when, and not if, there is another attack.”

Committee chair Meg Hillier MP commented: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS. But the impact on patients and the Service more generally could have been far worse and Government must waste no time in preparing for future cyberattacks – something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

She added that PAC was shocked that some NHS trusts had been so ill-prepared for WannaCry, in many cases having failed to act on warnings to patch exposed systems, and warned: “Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS. Cybersecurity investment cannot be properly targeted unless this information is collected and understood.”

NHS Providers agreed that cybersecurity must be a priority, adding that this means it is vital to protect capital investment. Its director of development and operations Ben Clacy said: “It is absolutely right that we continue to learn important lessons and strengthen how the NHS responds to inevitable future attacks … However, with no indication that there will be the capital available to carry out the required upgrades and changes, progress is being hampered. Cybersecurity must be a priority so it is vital that the capital investment needed is protected from plugging gaps in day to day spending.”

Registered in England and Wales. Reg No. 2530185. c/o Wilmington plc, 5th Floor, 10 Whitechapel High Street, London E1 8QS. Reg No. 30158470