PAC concludes there is 'long way to go' to improve NHS cyber security

The report issued this week by the Public Accounts Committee on the Wannacry cyber-attack which affected the NHS last year highlights the scale of the challenge needed to improve cyber security across the NHS.

The Wannacry ransomware attack occurred on 12 May 2017, affecting about 80 out of 236 NHS trusts across England, in addition to infecting another 603 NHS organisations including 595 GP practices. The attack resulted in the cancellation of almost 20,000 hospital appointments and operations, and five A&E departments had to divert patients to other hospitals.

According to the report, the attack could have had an even more serious impact on the NHS if it had not happened in the summer, or on a Friday, or had the kill switch not been discovered so soon by a cyber security researcher.

Among other findings, the Committee found that the NHS was unprepared for the Wannacry attack, that 5 per cent of the NHS IT estate was still using old software such as Windows XP. Around one third of trusts had also failed to patch their systems following a critical alert issued by NHS Digital prior to the attack in March and April 2017. 

The report also noted that communications during the attack itself were not co-ordinated and there were no alternative communications methods when email was switched off.

Following the attack, the Department of Health, NHS England and NHS Improvement published a Lessons Learned review with 22 recommendations to strengthen cyber security in the NHS. 

Among the Public Accounts Committee’s recommendations are that the Department for Health and other national and arm’s length bodies should:

  • urgently agree implementation plans arising from the recommendations in their Lessons Learned document, setting out a clear timetable for action;
  • set out clear roles and responsibilities for national and local NHS organisation so that communications are co-ordinated during a cyber-attack;
  • support local organisations to improve cyber security; and
  • estimate the cost to the NHS of WannaCry and agree how to target investment appropriately in line with service and financial risks.

Commenting on the report, Steve Snaith, a technology risk assurance partner at RSM said: ‘This report will make for uncomfortable reading in the Department of Health, but it includes a number of very sensible recommendations. 

‘Key among the recommendations is that the Department for Health should provide a national estimate of the cost to the NHS of the WannaCry attack. While this has not been prioritised to date, we believe this would be a useful exercise in helping to target future investment. 

‘Our work with both private and public sector organisations often involves the monetising of risk to inform the corporate governance framework and cyber control environment. This approach could be incredibly useful in shoring up the NHS’ cyber defences where they are most needed.

‘In addition, organisations should ensure incident response and Business Continuity plans adequately cover cyber risks.

‘While the Wannacry attack had a major impact on the NHS, it was relatively unsophisticated. Future attacks could well be more sophisticated and malicious and the impact could be an awful lot worse.’