It is “alarming” how unprepared the NHS is for the next big cyber attack, MPs have said.
The Public Accounts Committee (PAC) said part of the problem was an inability within the NHS to update IT systems, either because it would disrupt the provision of healthcare or because trusts were reliant on suppliers to push updates.
Meg Hillier, chair of the PAC, said the disruption caused by last year’s WannaCry attack “laid bare serious vulnerabilities” in the NHS’s cyber security and response plans. “It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed,” she said.
Her comments come off the back of a report published by the PAC criticising the NHS and Department of Health’s (DoH) response to the attack, and just days after the UK’s cyber security watchdog published an unrelated warning about Russian cyber attacks on businesses.
Andrew Beckett, managing director of Kroll’s Cyber Security and Investigations division, said many businesses were just as unprepared as the NHS for a cyber attack.
WannaCry was a global virus that hit the NHS, as well as a number of private companies, in May 2017. The ransomware attack worked by encrypting computers to make the information on them inaccessible before demanding payment for the release codes.
It affected more than a third of NHS trusts and resulted in more than 20,000 operations being cancelled and patients from five accident and emergency departments being diverted. It was ended when a security researcher stopped the virus spreading by triggering a kill switch.
However, the PAC report said the NHS was “lucky” the disruption caused was not worse. “If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse,” it said.
The PAC added the DoH still did not know the total cost of the attack to the NHS, which was hindering its ability to target cyber security investment.
One of the problems the report identified was an inability within trusts to update IT systems. WannaCry was an unsophisticated attack that exploited a vulnerability in out-of-date software and could have been prevented with a simple patch. However in some cases trusts were unable to update systems without disrupting other parts of their IT infrastructure, or were reliant on suppliers to update systems.
The report recommended local and national NHS contracts should include standard terms to maintain and protect devices and systems from cyber attack.
Hillier said: “I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.
“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”
The PAC added the need for strong cyber security had been made more relevant by the recent chemical attack in Salisbury on a former Russian double agent, which raised “concerns about the UK’s ability to respond to international threats”.
Many of the problems in the NHS highlighted in the report could also be found in businesses, said Beckett. Ransomware attacks are an increasing threat, affecting 18% of businesses last year, he said. This is an increase of 13% on the previous year.
“As outlined in this [PAC] report, it is crucial for businesses to not only have a plan in place but to conduct simulations and test their plans before an attack takes place. Organisations also need to ensure that their critical suppliers are protected against these and other cyber attacks,” he said.
A DoH spokesperson said more than £60m had been invested to address key cyber security weaknesses, with plans in place to spend another £150m over the next two years.
“Every part of the NHS must be clear that it has learned the lessons of Wannacry. The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care,” they said.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.