NHS WannaCry review highlights need for accountability and skills

A review of lessons learned from the WannaCry ransomware attack has called for both local NHS organsiations and national bodies to improve their cyber security skills and resilience.

The report, by health and social care CIO Will Smart, highlights the need for improvement across the health and care sector, and echoes the National Audit Office report published last year by saying the attack could have been prevented had the NHS followed basic IT security best practice.

The NHS report said the health service must ensure that “when”, not “if”,  another cyber attack happens, the “the health and care system nationally, regionally and locally is equipped to withstand and respond to cyber attacks in an effective manner which minimises disruption to services and, most importantly, impact on patients”.

The WannaCry attack, in May 2017, was not specifically targeted at the NHS, but health organisations in England were hit hard, including 80 hospital trusts – one-third of all trusts in England. More than 600 primary care organisations were also affected.

One of the key reasons the NHS was affected so badly by the attack was the lack of patching of systems within trusts. None of the 80 trusts had applied the latest patch, despite being advised to do so by NHS Digital in April 2017.

A number of the organsiations affected were not necessarily subject to the attack, but chose to shut down their systems or email as a precaution, due to not having the skills to know what to do, or having received any advice.

The report, which sets out 22 recommendations to local and national NHS organisations, called for all of them to ensure they “have sufficient quality and capable IT technical resources to manage and support their local IT infrastructure, systems and services”, and that this should be formalised through sustainability and transformation plans.

It also called on all NHS organisations to make sure that every single board has “an executive director as data security lead, cyber security risks are regularly reviewed by the board, appropriate countermeasures are in place to mitigate and response plans are in place to address service restoration in the event of a successful attack”.

Although not an official recommendation, it also called for organisations to “consider whether access to IT systems and services should be removed from members of staff who have not successfully completed this mandatory training”.

It also asked NHS organisations to look at how their IT estate is managed, and whether staff have the proper qualifications and resources in place.

Boards should consider whether these services could be provided more effectively by third-party organisations and should “regularly assess their organisations’ IT management, cyber capability and capacity”, the report said.

The report added that one of the key challenges identified during the cyber attack was the NHS’s reliance on “third-party suppliers for the management and support of equipment”, particularly diagnostics equipment, and that organisations must ensure the right processes and controls are in place for third-party IT systems.

On a national level, the report called for NHS Digital to appoint a chief information and security officer (CISO) to report directly to NHS CIO Will Smart. “The CISO must be appointed by the end of the first quarter of the 2018/19 financial year,” the report said.

“The role will lead national cyber working groups, help inform policy and drive improvements and standardisation. In addition, it is recommended that NHS Digital appoints a dedicated cyber security lead working across NHS England, NHS Improvement and other partners such as local government in each of the NHS England regions.”