13.The Department for Health and Social Care (the Department) told us that neither it, nor its arm’s-length bodies, had estimated the national financial cost of the WannaCry attack to the NHS. However, they did assure us that no NHS organisations had paid the ransom. National bodies had collected some data from local organisations during the attack such as on cancelled appointments and operations. The data had been collected to help the NHS manage, and recover from, the cyber-attack and not to assess the cost of the attack. The Department felt that a retrospective collection of data to assess the financial impact would be too burdensome on local organisations and the Department and its arm’s-length bodies saw little benefit in doing this since the national case for change, and for investment, in cyber security had already been made.
14.We recognise that at the time of the attack the focus would have been on patient care rather than working out what WannaCry was costing the NHS. However, an understanding of the financial impact on the NHS is also important to assess the seriousness of the attack and likely to be relevant to informing future investment decisions in cyber security. We pressed the witnesses on the importance of also understanding the financial cost of the attack and the Department agreed to look again at whether it could provide a global estimate of the financial cost of WannaCry, without an overly burdensome additional data collection from local organisations. The Department and arm’s-length bodies added that many NHS staff undertook unpaid overtime to manage the WannaCry attack.
15.The Department is investing more in cyber-security following the WannaCry attack. Between 2015 and 2020, the Department had originally allocated £4.2 billion to IT programmes, including £50 million for cyber security. Immediately following the WannaCry attack, the Department reprioritised £21 million of capital funding to address key vulnerabilities in Major Trauma Centres and Ambulance Trusts, while a further £25 million of capital funding was made available in 2017–18 to support organisations most vulnerable to cyber security risks. The Department told us that at least a further £150 million will be invested in local infrastructure as well as national systems and services to improve monitoring, resilience and response in 2018–19 and 2019–20. This means since WannaCry the Department has allocated an additional £196 million for cyber-security up to 2020. The Department explained that it is difficult to be precise on expenditure on cyber security because expenditure on general upgrades to IT systems often improve cyber security and local organisations also invest in their own cyber security.
16.Most NHS organisations could have prevented WannaCry by applying a patch released by Microsoft for Windows 7 (more than 90% of devices in the NHS use the Windows 7 operating system). NHS Digital had issued CareCERT alerts in March 2017 and April 2017 asking them to apply this patch. Despite this, many organisations did not apply the patch; the majority of organisations infected by WannaCry were using Windows 7 and could therefore have prevented the infection. NHS England and NHS Digital told us that the complexity and size of trusts’ IT estates meant they find patching their systems difficult—for example the Royal Free London NHS Foundation Trust, which had more than 10,000 computers and devices. Patching can disrupt the use of medical equipment and present a clinical risk to patients, and applying a patch in one part of an IT system can cause disruption elsewhere in that system. In addition, medical devices provided by external suppliers need to be updated by that supplier, rather than by the trust. Some major IT suppliers cannot just patch one system in isolation, but need to patch across their entire estate, which can take time. The NHS needs to be proactive in ensuring its suppliers are patching, or at least understand where it might be vulnerable and take action accordingly.
17.NHS Digital and NHS England told us that there were a number of potential mitigations for these challenges, based on having layers of cyber security in place to protect organisations rather than just one type of protection. For example, NHS organisations could have prevented WannaCry, even without patching their systems, had they taken action to manage their firewalls. Organisations can also protect themselves by segmenting their networks (so that not all IT devices on the network can connect with all other devices) and, in particular, by isolating medical devices from their networks. NHS Digital told us it has developed guidance for trusts about isolating medical devices from their network. NHS England also told us that the NHS could work more closely with suppliers of medical devices to make sure those devices can be updated when patches are available.
18.A further challenge faced by local NHS organisations in maintaining cyber security is having a sufficiently skilled workforce. NHS organisations, including local organisations, struggle to recruit and retain skilled cyber security staff, as there is a national shortage of this type of expertise and they are competing in a market where there are three jobs for every expert, and private sector organisations can pay more for cyber security experts than the NHS can. NHS Digital itself told us that it has only 18 to 20 “deeply technically skilled people”, though it is doing work to develop a future workforce by developing graduate schemes alongside universities. NHS Digital told us that one way it was seeking to address this challenge was by working with the National Cyber Security Centre and Crown Commercial Service to engage trusted suppliers from outside the NHS who can support the NHS during a cyber-attack.
19.The WannaCry attack disrupted a third of trusts but could have had an even more serious impact on the NHS if it had not happened in the summer, or on a Friday, or had the kill switch not been discovered so soon by a cyber security researcher. WannaCry was a financially motivated ransomware attack, and as such relatively unsophisticated (it locked devices but did not seek to alter or steal data). However, future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data. The Department and its arm’s-length bodies accept that cyber-attacks are now a fact of life and that the NHS will never be completely safe from them. They also acknowledge that they need to learn lessons and make changes in response to WannaCry.
20.This Committee’s report Protecting information across government recognised cyber-attack as a risk for the whole of government, and the whole of government can take lessons from the WannaCry attack. The Department, and in particular NHS Digital, worked closely with the National Cyber Security Centre, during and after the WannaCry cyber-attack. The Department told us that having a single organisation at the centre of government to work on cyber-security was very helpful.
23 Qq 2, 17; , para 1.11–1.12
24 Qq 18–19, 21–26, 50; , para 1.8
25 Qq 21–26, 50
26 Qq 27–28, 54
27 Qq 11–12; , para 2.5
28 Qq 11–12
29 Qq 12–14
30 Q 50
31 Q 11; , para 2.4
32 Qq 11–14
33 Q 67
34 Qq 1, 20, 44;, para 1, 1.13–1.14;
35 Qq 9, 11, 45; NHS Digital (); Martyn Thomas (), para 1–6
36 Qq 2, 11
37 Qq 4, 11, 22, 25, 37, 45; 48
38 Committee of Public Accounts, Thirty-eighth Report of Session 2016–17, , HC 769
39 Q 58
18 March 2018