Skip to main content

Faster action needed on lessons of WannaCry attack

18 April 2018

The Public Accounts Committee report sets June deadline for update on costed plans for vital security investment.

WannaCry attack a "wake-up call for NHS"

The WannaCry cyber-attack on Friday 12 May 2017, was a wake-up call for the NHS.

The attack caused widespread disruption to health services, with more than a third of NHS trusts affected. The NHS had to cancel almost 20,000 hospital appointments and operations, and patients were diverted from the five accident and emergency departments that were unable to treat them.

Yet the NHS was lucky. If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse.

Department unprepared for relatively unsophisticated attack

The Department of Health and Social Care and its arm's-length bodies were unprepared for the relatively unsophisticated WannaCry attack; they had not shared and tested plans for responding to a cyber-attack, nor had any trust passed a cyber-security inspection.

As the attack unfolded, people across the NHS did not know how best to communicate with the Department or other NHS organisations and had to resort to using improvised and haphazard ways to communicate.

The Department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security.

Work still to be done on cyber-security for next attack

Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber-security for when, and not if, there is another attack.

The recent shocking use of a nerve agent to poison those on British soil has heightened concerns about the UK's ability to respond to international threats, and hammers home the risks from those hostile to the UK.

A cyber attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of government could also learn important lessons from WannaCry.

Chair's comments

Comment from Committee Chair Meg Hillier MP:

"The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.

But the impact on patients and the Service more generally could have been far worse and Government must waste no time in preparing for future cyber attacks—something it admits are now a fact of life.

It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.

Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action.

I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.

Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.

Cyber security investment cannot be properly targeted unless this information is collected and understood.

There is much important work to do and we urge the Department to provide us with an update by the end of June.

Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready."

Further information

Image: iStockphoto