MPs have criticised the government’s slow response to last year’s WannaCry attack on the NHS, and warn there is much work to be done to improve cyber security if damage from the next attack is to be minimised.
A report by Public Accounts Committee says the Department of Health and Social Care and its arm's-length bodies “were unprepared for the relatively unsophisticated WannaCry attack” as there was no adequate response plan in place and communication procedures were unclear.
Now, almost a year later, while some progress has been made - particularly on communication - the Department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security.
Also, plans to implement the lessons learned are still to be agreed, the Committee noted.
“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment,” said Committee chair Meg Hillier.
“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”
She went on to stress that there is “much important work to do” and called on the Department to provide an update by the end of June.
“Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready."
Commenting on the PAC’s report, director of development and operations at NHS Providers, Ben Clacy, warned: “With no indication that there will be the capital available to carry out the required upgrades and changes, progress is being hampered.
“Cyber security must be a priority so it is vital that the capital investment needed is protected from plugging gaps in day to day spending.”