MPs: A Year After WannaCry, NHS Must Take ‘Urgent’ Security Action

Matthew Broersma,
NHS

The NHS and the government have failed to act on lessons learned from the incident, Public Accounts Committee says

MPs have criticised the government and the NHS for failing to put measures into place that could prevent attacks similar to the WannaCry malware incident nearly one year ago.

WannaCry, which affected more than 200,000 computers in at least 100 countries, caused the NHS to cancel nearly 20,000 hospital appointments due to the disruption.

The Health and Social Care chief information officer made 22 recommendations to prevent future disruption of the same kind in a report published in February, but the Public Accounts Committee (PAC) said it was “alarming” that no concrete action had yet been taken since then.

More specifically, the PAC said the Department of Health and Social Care (DHSC) still did not know what the proposals would cost or when they would be implemented.

‘Unprepared’

The PAC’s report said the DHSC and NHS bodies had been “unprepared” for WannaCry, which affected 80 out of 236 NHS trusts in England and another 603 NHS bodies, including 595 GP practices.

The NHS had been “lucky” more disruption had been averted when the malware was, by chance, neutralised relatively quickly.

PAC chair Meg Hillier said WannaCry had “laid bare” serious vulnerabilities in the NHS.

“Government must waste no time in preparing for future cyber-attacks – something it admits are now a fact of life,” she said. “It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

MPs said the DHSC and the NHS should urgently agree and implement cyber-security plans and provide an update to the committee in June.

The DHSC said the health service had improved its cyber-security since last May’s attack.

“We have supported that work by investing over £60m to address key cyber-security weaknesses – and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents,” the department said in a statement.

A report by the National Audit Office in October found the NHS could have avoided WannaCry disruption if it had followed basic security recommendations.

Do you know all about security? Try our quiz!