Last updated:

NHS unprepared for cyber attack

The health service remains unprepared in the event of another cyber attack on NHS IT systems, a Parliamentary report has warned.

The Department of Health and Social Care needs to do a lot more to improve NHS trusts’ cyber security in the face of potential future threats, the Parliamentary PAC (public accounts committee) has warned, in its report on last year’s ‘WannaCry’ ransomware cyber attack.

The report says that the event has highlighted the weaknesses of health service IT systems, but that, nearly a year on, many trusts remained unprepared and vulnerable to future attacks.

It says: ‘The WannaCry cyber attack on Friday 12 May 2017 was a wake-up call for the NHS. The attack caused widespread disruption to health services, with more than a third of NHS trusts affected.

‘The DHSC and its arm’s-length bodies were unprepared for the relatively unsophisticated WannaCry attack; they had not shared and tested plans for responding to a cyber attack, nor had any trust passed a cyber security inspection.

‘Although the department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber security for when, and not if, there is another attack.’

It adds: ‘While WannaCry was a relatively unsophisticated and financially motivated attack, future attacks could be more sophisticated and malicious in intent, and involve the theft or compromise of patient data.’


Held to ransom

The May 2017 attack, which saw hackers steal data and block access to systems to extract ransom payments, targeted hundreds of thousands of computers worldwide.

In the UK the attack particularly affected the health service, with around 80 NHS trusts and 595 GP practices across England suffering, either owing to ransomware infection or precautionary shut downs of IT systems.

As a result of the disruption, the NHS had to cancel almost 20,000 operations and hospital appointments, while five emergency departments were forced to divert patients to other sites. A number of practices were compromised for more than a week after the attack.

A joint review published by NHS England and NHS Improvement in February set out 22 recommendations designed to improve cyber security in the health service, although the PAC report notes that these are yet to be implemented.

The committee further warned that NHS organisations had struggled to maintain effective communication with the DHSC during the attack, and that the latter was still unclear as to what the full financial impact of the attack had been.


Response plan

In its recommendations, the committee has called on the DHSC to set out clear roles and responsibilities for NHS organisations at national and local levels for ensuring coordinated communications during a future attack.

It has also called on the department to implement its own recommendations, and to provide a progress update on this by the end of June this year.

BMA council chair Chaand Nagpaul said that the report’s findings indicating a continued lack of preparedness was troubling, particularly at a time of apparently heightened international risk of cyber attack.

He said: ‘Last year’s cyber attack had a disruptive and disconcerting impact on the health service, and it is vital that the necessary steps are taken to ensure the security of hospital and GP surgery IT systems, in the event of a future attack of this kind.

‘Although staff worked tirelessly during last year’s attack to mitigate its effects, trusts must be adequately supported by the DHSC, NHS England and NHS Improvement, so that their ability to provide patient care and protect patient data, are not compromised.’

Read more from Tim Tonkin and follow on Twitter.