The WannaCry cyber-attack on Friday 12 May 2017 was a wake-up call for the NHS. The attack caused widespread disruption to health services, with more than a third of NHS trusts affected. The NHS had to cancel almost 20,000 hospital appointments and operations, and patients were diverted from the five accident and emergency departments that were unable to treat them. Yet the NHS was lucky. If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse. The Department of Health and Social Care (the Department) and its arm’s-length bodies were unprepared for the relatively unsophisticated WannaCry attack; they had not shared and tested plans for responding to a cyber-attack, nor had any trust passed a cyber-security inspection. As the attack unfolded, people across the NHS did not know how best to communicate with the Department or other NHS organisations and had to resort to using improvised and haphazard ways to communicate. The Department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security. Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber-security for when, and not if, there is another attack. The recent shocking use of a nerve agent to poison those on British soil has heightened concerns about the UK’s ability to respond to international threats, and hammers home the risks from those hostile to the UK. A cyber-attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of government could also learn important lessons from WannaCry.
18 March 2018