NHS response to WannaCry attack criticised

The Public Accounts Committee has criticised the NHS and government for its failure to establish new measures to improve cyber security nearly a year after the WannaCry ransomware attack.

The attack on 12 May 2017 caused widespread disruption to health services, with more than a third of NHS trusts affected. In total, the NHS was forced to cancel nearly 20,000 hospital appointments and operations - although the repercussions could have been much worse. The Public Accounts Committee, along with other bodies, criticised the NHS for not being prepared for the attack, with many departments and hospitals unsure how to react or communicate as the attack unfolded.

However, the committee has also said that the NHS still has a lot of work to do to improve cyber security for ‘when, and not if, there is another attack’, stating that it is ‘alarming’ that adequate measures have still not been introduced.

Meg Hillier, chair of the committee, said: "The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS. But the impact on patients and the Service more generally could have been far worse and government must waste no time in preparing for future cyber attacks—something it admits are now a fact of life.

“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed. Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action.

“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment. Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS. Cyber security investment cannot be properly targeted unless this information is collected and understood.

“There is much important work to do and we urge the Department to provide us with an update by the end of June. Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready."