WannaCry: Has enough progress been made in the NHS?

Source: NHE May/June 18

Last year's major cyber-attack highlighted the importance of being prepared for digital threats. But what progress has really been made since then, and what else needs to change to ensure the NHS isn't vulnerable? Adam Wright, policy officer for finances at NHS Providers, investigates.

It is widely perceived that the NHS has had a troubled history with digital transformation and information technology. That’s why, last year, many incorrectly jumped to the conclusion that a cyber-attack had been launched against the health service and subsequently labelled it “the NHS cyber-attack.” In fact, the WannaCry ransomware attack affected various companies ranging from Telefonica to Deutsche Bahn; the NHS was simply one of many victims.

But while the NHS was not the only organisation to suffer from the attack, its experience was unique. Delivering healthcare services, at scale, with the regulatory and funding constraints of the public sector, meant that the NHS needed a distinct response to the WannaCry incident. Fortunately, and in part thanks to the dedication of NHS staff, the attack had a limited impact on services and acted as a dress rehearsal for potential larger attacks. A year on, we need to review how much progress the NHS has made.

What has already happened?

Across the system, we now have a better understanding of the issues and challenges associated with cyber security. Since last year’s attack, we have had three national reviews, from the Public Accounts Committee (PAC), the National Audit Office and NHS England, as well as the government’s response to the Caldicott Review. The incident certainly acted as a catalyst for raising awareness of the issue of cyber security.

The national leadership of the NHS has prioritised the delivery of various infrastructure programmes. Chief among these initiatives is the recent Microsoft deal to bring in Windows 10. This operating system is more robust than its predecessors and should allow trusts to more easily detect viruses, phishing and malware.

Alongside this, NHS Digital has gone to market for a new NHS cyber security centre that will coordinate and take responsibility for NHS-wide cyber defences.

In terms of funding, £21m has been allocated to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, while a further £25m of capital funding was set aside in 2017-18 to support trusts that were non-compliant against high-severity CareCERT alerts. Whilst these initiatives alone are not enough for trusts to adequately protect themselves from future threats, they are welcome, particularly given previous national sclerosis.

At local and regional levels, progress is being made to work more closely together on cyber security. There are good examples of sustainability and transformation partnerships developing joint incident response plans, as well as coordinating investment and procurement.

In addition to this, NHS Digital has implemented CareCERT Collect, which requires all NHS bodies to report within 48 hours on action they have taken on high-severity CareCERT alerts. Closer working and collaboration is a positive step towards better management of cyber security.

What still needs to happen?

One of the key themes that came out from the national reviews was around leadership at both the national and local levels, and in particular at board level. Local and national leaders need to stand up and take cyber security seriously, rather than simply seeing it as a cost pressure. NHS England’s head of architecture, Inderjit Singh, went as far as suggesting that cyber security is a board issue, not a technology issue. There is variation in the quality of cyber security leadership across the country, and in some cases it has almost been non-existent. NHS England’s recommendation that boards should appoint a lead on data security is the right one.

But an even more important development has been the establishment of the NHS Digital Academy, which will produce and train 300 digital leaders across the NHS over the next three years. This is an important step towards cyber security, and digital health more generally, becoming more prominent during board discussion. Developing the NHS’s digital leaders is a continuing process.

While there has been a lot of work diagnosing the issues, we still need to follow through on the multitude of recommendations that have been produced. Only last month, the PAC stated its concern at the lack of agreement on how to implement lessons learned. The £20m NHS cyber security centre, which had formed a key part of the national response, has been delayed and looks far from being launched.

But recommendations also need to be followed through at local level. For example, there needs to be more work undertaken by trusts with suppliers to ensure infrastructure is up to date. More broadly, the system needs to tackle the barriers which undermine its ability to act at pace; we know another attack is inevitable, so all need to operate at speed to build resilience.

Ultimately, however, a commitment to investment is needed to back up any progress that can be made. It was widely reported that one recommendation from NHS England’s initial review would cost £1bn alone. The £21m capital funding for major trauma centres and ambulance trusts was diverted from the Paperless 2020 agenda programme; it does not represent new money. We know trusts’ access to capital funding more generally has been suboptimal, and the WannaCry attack simply provided a very stark demonstration of how dangerous underinvestment is. In this context, genuinely new funding would be more effective for trusts who need to invest in order to take forward the lessons learned.

On the anniversary of the WannaCry attack, we can confidently point to the areas of cyber security where the NHS needs to improve. But the next attack is question of ‘when,’ not ‘if.’

Across the system, the NHS needs to support and develop leaders who will be able to take forward the multiple recommendations that have been produced. This won’t work without adequate funding, which trusts currently struggle to access. Progress has been made over the last 12 months, but we can’t afford to lose momentum.


Enjoying NHE? Subscribe here to receive our weekly news updates or click here to receive a copy of the magazine!


There are no comments. Why not be the first?

Add your comment


national health executive tv

more videos >

latest healthcare news

Trust to remain in special measures and issued with second CQC warning notice despite improvements

15/05/2019Trust to remain in special measures and issued with second CQC warning notice despite improvements

Norfolk and Norwich University Hospital NHS FT (NNUH) is to remain in special measures and has received a second CQC warning notice despite the C... more >
London trust and CCG to appoint first joint leader in new shared working plans

15/05/2019London trust and CCG to appoint first joint leader in new shared working plans

A London trust and CCG have published new plans to increase the level of joint working between Croydon’s NHS services by appointing a new s... more >
NHS lost £212m from prescription fraud last year whilst 1.7m people wrongly fined, NAO finds

15/05/2019NHS lost £212m from prescription fraud last year whilst 1.7m people wrongly fined, NAO finds

Around 1.7 million fines have been wrongly handed out to patients and then overturned in the last five years, whilst the NHS also lost £212... more >

681 149x260 NHE Subscribe button

the scalpel's daily blog

System working in an uncertain world

09/05/2019System working in an uncertain world

What, exactly, is an integrated care system? Well, it’s unclear, writes Kacey Cogle, policy advisor at NHS Providers. On the NHS England website, integrated care systems (ICSs) are not clearly defined, referring to STPs (sustainability and transformation partnerships), the predecessor of ICSs, in the first few lines without clarity on the differences between the two. So it is unsurprising that there is some confusion within STPs o... more >
read more blog posts from 'the scalpel' >


How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >
Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus