Public Services > Central Government

NHS officials come under pressure from PAC over WannaCry

Published 06 February 2018

NHS officials tell Public Accounts Committee that none of 200 trusts assessed had passed onsite assessment could not match the “high bar” set out by the National Data Guardian


A Public Accounts Committee (PAC) examination of the impact of the WannaCry cyber-attack on the NHS has revealed that all the trusts that NHS Digital has tested in onsite assessments failed the tests.

In an evidence session which also featured NHS England chief executive Simon Stevens, permanent secretary at the Department of Health Sir Chris Wormald, Jim Mackey, former chief executive, and Will Smart, chief information officer, NHS Improvement, Rob Shaw, deputy chief executive of NHS Digital said, “We have now completed 200 onsite assessments. And all the trusts failed. Some of them have failed purely on patching, which was what the vulnerability was around WannaCry.” 

Shaw continued, "The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. Some of them need to do a considerable amount of work, but a number of them are on a journey [to] meeting that requirement," Shaw added.

He added, “One of the things that we might want to consider is now that we got the additional funding available, is whether or not we should go back and re-inspect some of those where there is an higher risk in order to then provide the assurance that they are going in the right direction”.

Shaw announced that the Care Quality Commission (CQC) the independent regulator of health and adult social care in England, would be performing unannounced inspections where there is a concern around cyber security up to the end of March. As part of that, in the end of the March NHS Improvement will publish a lessons learned report to hep trust mitigating cyber security risks.    

The Committee took evidence yesterday from the Department of Health, NHS England, NHS Improvement and NHS Digital about their response to the attack, and how they are protecting against further attacks in future.

On May 2017 the NHS trusts in England were attacked by the WannaCry ransomware.  According to a National Audit Office (NAO) investigation, the attack disrupted at least 34% of trusts in England. 37 trusts were locked out of devices, whilst a further 44 were not infected but experienced disruption. A further 603 NHS organisations were infected, including 595 GP practices.

This resulted in the cancellation of 6,912 appointments and operations, and in five areas patients had to travel further to access A&E services.

The NAO report said that the NHS had developed a cyber-attack action plan, but it had not been tested at a local level, and the NHS had not rehearsed for the eventuality of an attack.

In its ‘lessons learned’ work, NHS Digital concluded that all affected organisations had been using unsupported or unpatched operating software that could have been easily protected by better firewall management.

The committee said the NHS is now developing a better response plan for cyber-incidents, and ensuring communications systems can continue to function safely.

Committee chair for the meeting, Sir Geoffrey Clifton-Brown asked Smart how he can be sure there is no threat to the NHS future from the past WannaCry attack, in particular how he can be sure that the virus was successfully eliminated from the NHS system. 

Smart said, “I don’t think we can we can guarantee that the threat is gone away, in fact the threat continues”. 

The PAC quoted the NAO report, which said that “In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before 12 May 2017, the Department had no formal mechanism for assessing whether NHS organisations had complied with its advice and guidance. Prior to the attack, NHS Digital had conducted an on-site cyber-security assessment for 88 out of 236 trusts, and none had passed.”

The PAC noted that the fact that none of the assessed trust passed the cyber-security assessment should have raised some red flags.

Smart said that since the Wannacry attack £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.