NHS ‘lucky’ WannaCry attack happened on a Friday in summer

18 Apr 18

The NHS was “lucky” the WannaCry cyberattack 11 months ago happened on a Friday in the summer, a group of MPs has said today.

To ensure the health service is prepared for the next cyberattack, the government and NHS still have a “long way to go”, the Public Accounts Committee also warned in a report out today.

“The NHS was lucky,” the watchdog reported. “If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse.”

The MPs said it was a question of “when, and not if, there is another attack” and that “there is a long way to go before agreed, prioritised and costed plans for improving cyber security are in place across the NHS”.

Lessons “had been learnt” since the attack on May 12 2017, which caused the cancellation of nearly 20,000 hospital appointments and operations with 80 of 236 NHS trusts across England suffering disruption, the watchdog concluded.

But it said the the Department of Health and Social Care and the NHS were slow to respond and had not been prepared for the “relatively unsophisticated WannaCry attack”.

“They had not shared and tested plans for responding to a cyber-attack, nor had any trust passed a cyber-security inspection,” the PAC noted.

“As the attack unfolded, people across the NHS did not know how best to communicate with the Department or other NHS organisations and had to resort to using improvised and haphazard ways to communicate.”

The department still does not know the financial impact of the incident, “which is hindering its ability to target its investment in cyber security”, the MPs added.

A review with 22 recommendations to improve NHS cyber security was published in February 2018 by the DHSC, NHS Improvement and NHS England but implementation plans have not yet been agreed.

The committee wants the DHSC and arm’s-length bodies to set a clear timetable for implementation these plans and report to the committee by June 2018.

Chair of the committee Meg Hillier said: “Cyber security investment cannot be properly targeted unless this information is collected and understood.

“There is much important work to do and we urge the DHSC to provide us with an update by the end of June.”

The report also calls for DHSC to provide an estimate of the total cost of the WannaCry attacks by June 2018, which it says will allow national and local bodies to make the best cyber security investment decisions.

Hillier said: “This case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack.

“When it comes, the UK must be ready.”

In the wake of the attack, the government reprioritised £21m of capital funding to Major Trauma Centres and Ambulance Trusts and a further £25m has been made available in 2017-18 to help organisation which are most at risk.

A DHSC spokesperson said: “Every part of the NHS must be clear that it has learned the lessons of Wannacry.

“The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care.”

They added: “We have supported that work by investing over £60m to address key cyber security weaknesses - and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”

Did you enjoy this article?