The Public Accounts Committee report sets June deadline for update on costed plans for vital security investment – calling for WannaCry ‘wake up call’
The WannaCry cyber-attack on Friday May 12, 2017, was a ‘wake-up call for the NHS’, MPs have said.
The Public Accounts Committee (PAC), recalling the extent of the disruption to health services — which affected more than a third of NHS trusts — said that the Department of Health and Social Care and its connected bodies were unprepared when it happened and still had a lot to do to improve cyber-security ‘for when, and not if, there is another attack’.
NHS Providers has said that trusts have taken steps to strengthen their security and are applying software patches and keeping anti-virus software up to date, but progress is being hampered by lack of capital funding for upgrades and changes.
The PAC said that a cyber attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of government could also learn important lessons from WannaCry.
Committee Chair Meg Hillier MP said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber-security and response plans of the NHS.But the impact on patients and the Service more generally could have been far worse and Government must waste no time in preparing for future cyber attacks — something it admits are now a fact of life.
“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.
“Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action.
“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.
“Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS. Cyber-security investment cannot be properly targeted unless this information is collected and understood.
“There is much important work to do and we urge the Department to provide us with an update by the end of June.
“Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”