The Public Accounts Committee has published its report into the WannaCry cyber-attack that happened on May 12, 2017 and affected some 80 of England’s 236 NHS Trusts. WannaCry resulted in the cancellation of almost 20,000 hospital appointments and operations as well as the diversion of patients from five accident and emergency departments that were unable to treat them.
The report argues that lessons have been learned from WannaCry, but there is still much to do to improve cyber security so the NHS is in a better position next time there is an attack.
Issues raised include the need for a plan to co-ordinate communications during any future attacks with alternative channels if email is unavailable. Those affected by WannaCry did not know who to report their problems to or how to communicate with the Department of Health and Social Care; some staff resorted WhatsApp or personal mobile phones. A cyber handbook has been produced, but clear roles and responsibilities need to be set out.
Importantly, there is still no estimate of the financial impact of WannaCry, without which it is stated that organisations, both nationally and locally, cannot effectively target investment in cyber security. A better understanding of the costs and impact would help organisations to make the best investment decisions.
The report recommends a deadline of the end of June 2018 for the Department to provide a national estimate of the cost of WannaCry to the NHS and for its national bodies to agree with local organisations on how to target investment appropriately in line with service and financial risks.
A full understanding of an organisation’s cyber security arrangements is also necessary. Before May 2017 the Department relied too much on a local organisation’s own assessment of how prepared they were. NHS Digital has since completed on-site assessments to test cyber security and identify vulnerabilities at 200 Trusts, but all had failed the assessment. The Public Accounts Committee has been told that the required standard for this assessment was high, but it also states that some Trusts failed because they had still not patched their systems, which was the main reason the NHS had been vulnerable to WannaCry in the first place.
This in itself has presented problems for some organisations. It can be difficult to apply a patch without disrupting other parts of the IT system or the operation of equipment vital to patient care. Sometimes a third party is responsible for this activity. In addition, all NHS organisations face a challenge in attracting and retaining the right skilled staff; even NHS Digital has only 18-20 suitably skilled cyber security staff!
“As we approach the anniversary of the WannaCry attack it is absolutely right that we continue to learn important lessons and strengthen how the NHS responds to inevitable future attacks,” says Ben Clacy, Director of Development and Operations at NHS Providers, commenting on the Committee’s findings.
“The Public Accounts Committee rightly acknowledges that lessons have been learned by the NHS bodies and the Department of Health and Social Care, including how they communicate with Trusts and the public. Trusts have also taken further steps to ensure they are applying software patches and keeping anti-virus software up to date.
“However, with no indication that there will be the capital available to carry out the required upgrades and changes, progress is being hampered. Cyber security must be a priority so it is vital that the capital investment needed is protected from plugging gaps in day-to-day spending.”
It could have been worse
The WannaCry attack was not specifically targeted at the NHS; it affected almost 200,000 of computers in at least 100 countries so there are wider lessons for government to learn. In particular, the consequences to the NHS could have been far worse.
The report cautions that WannaCry was relatively unsophisticated and that the disruption caused could have been worse had a cyber security researcher not discovered the ‘kill switch’ as quickly as they did. It warns: “Future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data.”
The Department of Health and its arm’s-length bodies accept that they need to learn lessons and make changes in response to WannaCry.