NHS ransomware attack response criticised

AFP NHS signAFP
WannaCry was the biggest cyber-attack to have affected the NHS

The government and NHS bodies have been criticised by MPs for failing to implement measures to improve cyber-security nearly a year after a major ransomware attack on the service.

Twenty-two recommendations were made after the WannaCry attack led to nearly 20,000 cancelled hospital appointments.

The Public Accounts Committee said it was "alarming" these measures had still not been introduced.

The government said cyber-security in the NHS had improved since the attack.

The PAC report found the Department of Health and Social Care (DHSC) and NHS bodies had been "unprepared" for the global WannaCry attack, which happened in May and affected more than 200,000 computers in at least 100 countries.

'Serious vulnerabilities'

A total of 80 of 236 NHS trusts across England suffered disruption, as well as another 603 NHS organisations, including 595 GP practices.

MPs said the attack could have been "much worse" and the NHS had been "lucky" the threat had been tackled quickly.

But they warned future attacks could be more sophisticated and malicious, "resulting in the theft or compromise of patient data".

In February, the DHSC, NHS England and NHS Improvement published a set of 22 "lessons learned" recommendations following the cyber-attack.

But months later the DHSC still did not know what the proposals would cost or when they would be implemented, the committee said.

Meg Hillier, who chairs the PAC, said: "The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber-security and response plans of the NHS.

"But the impact on patients and the service more generally could have been far worse. And government must waste no time in preparing for future cyber-attacks - something it admits are now a fact of life.

"It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed."

EPA A programmer shows a sample of the WannaCry locked encryption page on a laptopEPA

The report said cyber-attacks were "weapons" that needed to be treated as a "serious, critical threat".

It said the use of a nerve agent to poison former spy Sergei Skripal and his daughter Yulia in Salisbury had "heightened concerns about the UK's ability to respond to international threats, and hammers home the risks from those hostile to the UK".

The report said: "A cyber-attack is a weapon which can have a huge impact on safety and security.

"It needs to be treated as a serious, critical threat.

"The rest of government could also learn important lessons from WannaCry."

Among other recommendations, the committee called on the DHSC and NHS bodies to urgently agree on and implement cyber-security plans and provide an update on their progress to the committee in June.

A Department of Health and Social Care spokesman said: "Every part of the NHS must be clear that it has learned the lessons of Wannacry.

"The health service has improved its cyber-security since the attack, but there is more work to do to protect data and patient care.

"We have supported that work by investing over £60m to address key cyber-security weaknesses - and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents."

A previous report by the National Audit Office found NHS trusts had been left vulnerable during the attack because cyber-security recommendations had not been followed.