NHS fails hundreds of cyber security tests after WannaCry attack

7 Feb 18

The NHS failed all 200 cyber security tests it ran in the aftermath of the WannaCry attack in May last year, a group of MPs has heard.

NHS officials also admitted to the Public Accounts Committee on Monday the health service might never know the full cost of the ransomware incident. 

Since the attack -  which affected 19,500 NHS appointments - 200 of the 236 NHS trusts have been examined for vulnerability to cyber attacks, each of them failing.

Rob Shaw, NHS Digital deputy chief executive, said: “We will never mitigate against all cyberattacks.

“We’ve got to accept the fact that there will be some things that will get through. How we respond to those becomes crucial.”

Geoffrey Clifton-Brown, chairing the PAC on Monday, pointed out that before the WannaCry attack NHS Digital conducted cyber attack tests on 88 NHS trusts, all of which failed.

When probed on the total cost of the cyberattack chief executive of NHS England Simon Stevens said specific figures could not be provided.

“We haven’t got a national estimate of that,” he told the committee members.

Chris Wormald, permanent secretary at the Department of Health and Social Care, said: “On the straight costing question, the truth of it is, it doesn’t fall out of the data we regularly collect.

“We would therefore, to get an accurate number, need to do an entirely separate data collection which clearly places burdens all the way through the system, and we don’t see doing a specific data collection of that as a particularly positive thing.”

Although, he said he would look again to see if he could come up with a figure but “without promising anything”. 

Labour MP Bridget Phillipson pointed out patients were constantly reminded of the cost of missing important appointments and that the NHS had a duty to record cost when it fails to hold appointments.

In response to the IT failings of the NHS, Wormald said his department was committing £175m to cyberattack spending over the next three years.

He stated: “The original allocation directly to cyber security was £50m and that was supplemented by an additional £21m immediately after WannaCry.

“[Since then] we have allocated a further £25m this financial year and then £150m over the following two financial years.”

MPs criticised the response to the WannaCry attack, saying people did not know where to turn in the case of an attack.

Stevens said, on coordinating a response to an attack, “arrangements have been put in place subsequently to deal with that”.

PF last week releaved how much local authorities are doing to prevent cyber security attacks

Did you enjoy this article?