MPs blast NHS over failure to implement cyber reforms after ransomware attack

Posted On: 
18th April 2018

The NHS has failed to implement a single recommendation to protect it from another cyber assault almost a year after a major attack hit the health service, MPs have revealed.

The WannaCry attack led to some 20,000 cancelled operations
PA Images

Some 22 recommendations were made by the Department of Health and Social Care, NHS England and NHS Improvement in the wake of the WannaCry attack in May 2017.

But in a damning report, the powerful Public Accounts Committee found DHSC still has no idea how much the changes will cost or when they might be implemented.

Tory minister: North Korea was behind NHS ransomware attack

NHS ‘must get its act together’ over cyberattack threat, says Government watchdog

NHS trusts could face fines for failure to protect against cyber attacks

The attack hit more than 200,000 computers in at least 100 countries, including those in 80 NHS trusts plus 603 other NHS organisations - leading to almost 20,000 cancelled appointments.

According to the PAC the NHS was “unprepared” for the attack, and said the health service was "lucky" as the assault could have been "much worse".

Chair of the committee Meg Hillier said: "The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber-security and response plans of the NHS.

"But the impact on patients and the service more generally could have been far worse. And government must waste no time in preparing for future cyber-attacks - something it admits are now a fact of life.

"It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed."

The report said the Salisbury nerve agent attack had "heightened concerns about the UK's ability to respond to international threats, and hammers home the risks from those hostile to the UK".

And it added: "A cyber-attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat.

"The rest of government could also learn important lessons from WannaCry."

A spokesperson for the DHSC said: "Every part of the NHS must be clear that it has learned the lessons of Wannacry.

"The health service has improved its cyber-security since the attack, but there is more work to do to protect data and patient care.

"We have supported that work by investing over £60m to address key cyber-security weaknesses - and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents."

It comes amid fears of a major cyber assault from Russia, after it was revealed hackers from the country had gained access to thousands of UK-based devices.