18.04.18
Cyber security plans impossible as NHS still in dark about WannaCry
The WannaCry cyber-attack on 12 May 2017 was a wake-up call for the NHS and the Department of Health and Social Care (DHSC) must now act on priorities by June this year, the Public Accounts Committee (PAC) has argued.
The attack caused widespread disruption to health services, with more than a third of trusts affected by the ransomware. The NHS had to cancel almost 20,000 hospital appointments and operations as patients were diverted from the five A&E departments that were unable to treat them.
If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse, MPs claimed.
PAC said the DHSC and its arm’s-length bodies were unprepared for the relatively unsophisticated WannaCry threat and that they had not shared and tested plans for responding to a cyber-attack, nor had any trust passed a cyber security inspection.
To make matters worse, the department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security.
The committee said that, even though lessons have been learnt from the attack, the department and NHS bodies have a lot of work to do to improve cyber-security for when, and not if, there is another attack.
MPs urged the DHSC to provide the committee with an update by the end of June at the latest.
PAC chair Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.
“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS. Cyber security investment cannot be properly targeted unless this information is collected and understood.”
Meanwhile, Hillier added, this case should serve as a warning to the whole of government: a “foretaste of the devastation that could be wrought by a more malicious and sophisticated attack.” When this comes, the UK must be ready, she argued.
Responding to the report, the director of development and operations at NHS Providers, Ben Clacy, said: “The PAC rightly acknowledges that lessons have been learned by the NHS bodies and the DHSC, including how they communicate with trusts and the public. Trusts have also taken further steps to ensure they are applying software patches and keeping anti-virus software up to date.
“However, with no indication that there will be the capital available to carry out the required upgrades and changes, progress is being hampered. Cyber security must be a priority so it is vital that the capital investment needed is protected from plugging gaps in day to day spending.”
Clacy concluded: “It is also worth remembering that this attack was not specific to the NHS. It affected thousands of computers in hundreds of countries.”