Conclusions and recommendations
1.The NHS was not prepared for WannaCry and there is a long way to go before agreed, prioritised and costed plans for improving cyber security are in place across the NHS. As far back as April 2014 the Department had written to NHS trusts warning them to migrate from old software such as Windows XP. Yet at the time of WannaCry, 5% of the NHS IT estate was still using Windows XP. There were further warnings in 2016 and, even in March and April 2017, just before the attack, NHS Digital had issued warnings to trusts to secure their Windows operating systems. Yet at the time of WannaCry, patching had only taken place in around two-thirds of trusts and none of 88 trusts had passed NHS Digital’s assessments of their cyber security arrangements. Following WannaCry, the Department and the NHS recognised that things needed to change. In February 2018, the Department, NHS England and NHS Improvement published a Lessons Learned review with 22 recommendations for strengthening the NHS’s cyber security. However, implementation plans have yet to be agreed, and the Department does not know exactly how much the recommendations will cost or when they will be implemented. Some NHS organisations still have a lot to do to improve their cyber security including Barts Health NHS Trust, one of the largest NHS trusts affected by WannaCry.
Recommendation: The Department and its national bodies should urgently consider and agree implementation plans arising from the recommendations within their Lessons Learned document, prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities and oversight arrangements are clear. They should provide an update on progress to the Committee by the end of June 2018.
2.Communications during the cyber-attack were not co-ordinated and there were no alternative communication methods when email was switched off. Local NHS organisations reported the WannaCry attack to different national bodies within and outside the health sector, including to their local police forces, as they did not know where responsibilities lay and who they should contact during a cyber-attack. Communication was also hindered during the cyber-attack as trusts were unable to access email, either because they were infected or because they had closed down their systems as a precaution. As local NHS organisations did not know how to communicate with the Department or other NHS organisations they resorted to using WhatsApp or personal mobile phones to communicate with each other. Although NHS England’s emergency team were able to communicate with each other during the attack, the Department now accepts that it needed a wider network of contacts to manage the cyber-attack. Since the attack, a cyber handbook has been produced to describe the approach and actions to be taken by NHS organisations in the event of a cyber-attack.
Recommendation: The Department and national bodies should set out clear roles and responsibilities for national and local NHS organisation so that communications are co-ordinated during a cyber-attack. They should also work together to identify and develop secure alternative communication channels when email, for example, is unavailable.
3.The Department and its national bodies know more about NHS preparedness for a cyber-attack now, but still have much more to do to support trusts to meet required cyber security standards and to respond to a cyber-attack. Before 12 May 2017, the Department and its national bodies did not know whether every NHS organisation was prepared for a cyber-attack and relied too much on local organisations’ own assessments of their preparedness. NHS England assures us that since WannaCry it now has better visibility of trusts’ preparedness and which trusts it needs to be most worried about. At the time of our evidence session NHS Digital had completed on-site assessments to test cyber security and identify vulnerabilities at 200 trusts, although all trusts had failed the assessment. We are told that this was because a high bar had been set for NHS providers to meet the required standard, but some of the trusts had failed the assessment purely because they had still not patched their systems—the main reason the NHS had been vulnerable to WannaCry. There is also the risk that those organisations not infected by WannaCry, a relatively unsophisticated attack, become complacent and do not keep on top of their cyber security risks. The Department and its arm’s-length bodies still have limited central information on trusts’ IT and digital assets such as anti-virus software and IP addresses which would help them to target their support during a cyber-attack.
Recommendation: The Department and its arm’s length bodies should support local organisations to improve cyber security and be ready for a cyber-attack by developing a full understanding of the cyber security arrangements and IT estate of all local NHS organisations.
4.Without an understanding of the costs of WannaCry national and local organisations cannot target investment in cyber security. Neither the Department nor its arm’s-length bodies, have estimated the financial impact of the WannaCry attack on the NHS. Their focus at the time of the attack was on collecting data to ensure patient safety and continuity of care rather than assessing financial impact. However, financial data is likely to be available locally and NHS national bodies collected some information on cancelled appointments and operations. The Department agreed to look again at what it could do. Immediately following the WannaCry attack, the Department reprioritised £21 million of capital funding to address key vulnerabilities in Major Trauma Centres and Ambulance Trusts, while a further £25 million of capital funding has been made available in 2017–18 to support organisations most vulnerable to cyber security risks. A better understanding of the costs and impact would help both local and central NHS bodies make the best cyber-security investment decisions.
Recommendation: The Department should provide an update to the Committee by the end of June 2018 with its national estimate of the cost to the NHS of WannaCry and with its national bodies agree with local organisations how to target investment appropriately in line with service and financial risks.
5.Not all local bodies have the means to update and protect systems without disrupting the ongoing delivery of patient care. In the weeks immediately before the attack, NHS Digital had warned trusts to apply a patch that would have prevented WannaCry, but most of the organisations subsequently affected did not do so. Trusts find it difficult to apply patches without disrupting other parts of IT systems or the operation of equipment vital to patient care. There are also difficulties with medical equipment and systems that can only be updated by external suppliers, where the NHS needs to be proactive in ensuring suppliers are protecting systems properly. But there are ways to mitigate and manage these difficulties if you have the requisite skills. All NHS organisations face a challenge in attracting and retaining the right staff, and even NHS Digital itself has only 18 to 20 suitably skilled cyber security staff.
Recommendation: The Department and its arm’s-length bodies should:
- set out how local systems can be updated whilst minimising disruption to services, and provide guidance and support to do this;
- ensure that all IT suppliers and suppliers of medical equipment to the NHS are accredited and that local and national contracts include standard terms to maintain and protect NHS devices and systems from cyber-attack; and
- ensure that local and national workforce plans include a focus on IT and cyber skills.
6.While the NHS needs to recognise cyber security is essential for patient safety, there are also lessons from WannaCry for the whole of government. WannaCry could have had a more serious impact on the NHS if it had not happened in the summer, or on a Friday, or if the kill switch not been discovered so soon by a cyber security researcher. While WannaCry was a relatively unsophisticated and financially motivated attack, future attacks could be more sophisticated and malicious in intent, and involve the theft or compromise of patient data. The Department accepts that cyber-attacks are now a fact of life and that the NHS will never be completely safe from them. The whole of government is at risk of a cyber-attack and, while the Department and NHS bodies are learning lessons from WannaCry, the whole of government must also learn lessons from the cyber-attack. The Department and in particular, NHS Digital, worked closely with the National Cyber Security Centre, during and after the WannaCry cyber-attack. In the Department’s view government having a single organisation to work with at the centre on cyber-security was helpful.
Recommendation: The Department and its national bodies need to make cyber security a priority, and work with wider government, including the Cabinet Office and the National Cyber Security Centre, to share lessons and promote best practice.
18 March 2018