PAC sets June 2018 deadline for Department of Health to count NHS cost of WannaCry

Government health bosses have come under fire from the Public Accounts Committee (PAC) for being unable to account for the financial toll the WannaCry ransomware attack took on the NHS in May 2017.

A report on the fallout from the attack confirms that neither the Department of Health and Social Care nor the arm’s-length bodies it deals with have got a handle on the financial impact of the attack on the NHS, which the spending watchdog says will impede its ability to prioritise its cyber security spending.

“A better understanding of the costs and impact would help both local and central NHS bodies make the best cyber security investment decisions,” said the PAC report.

For this reason, the committee said it is giving the department until the end of June 2018 to provide a nationwide estimate of how much the attack cost the NHS in total.

The attack affected 80 hospital trusts and more than 600 primary care organisations across England, contributing to the cancellation of about 20,000 hospital appointments and operations as staff were unable to access key healthcare IT systems.

The PAC has also given the department the same deadline to set out how it plans to shore up the NHS’s cyber defences in anticipation of another attack against its systems.

“While WannaCry was a relatively unsophisticated and financially motivated attack, future attacks could be more sophisticated and malicious in intent, and involve the theft or compromise of patient data,” said the report.

“The department accepts that cyber attacks are now a fact of life and that the NHS will never be completely safe from them. The whole of government is at risk of a cyber attack and, while the department and NHS bodies are learning lessons from WannaCry, the whole of government must also learn lessons from the cyber attack.” 

In February 2018, a “lessons learned” review of the WannaCry attack by health and social care CIO Will Smart highlighted the need for local NHS organisations and national bodies to improve their cyber security and resilience.

The PAC said the department must prioritise the implementation of the recommendations in the report, and provide it with an update by the end of June 2018 on how the work is progressing.

“The department and its national bodies should urgently consider and agree implementation plans…prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities and oversight arrangements are clear,” the PAC report said. “They should provide an update on progress to the committee by the end of June 2018.”

The committee also claims that shortfalls in the willingness of NHS trusts to heed warnings about the need to upgrade legacy software and systems meant they were ill-equipped to fend off the attack.

“As far back as April 2014, the department had written to NHS trusts warning them to migrate from old software such as Windows XP,” said the report. “Yet at the time of WannaCry, 5% of the NHS IT estate was still using Windows XP.

“There were further warnings in 2016 and even in March and April 2017, just before the attack, when NHS Digital issued warnings to trusts to secure their Windows operating systems.”

As a result, the NHS should consider itself lucky that the fallout from WannaCry was not far greater, said the PAC.

“The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS,” said PAC chair Meg Hillier in a statement. “But the impact on patients and the service more generally could have been far worse and government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.

“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.

“Government must get a grip on the vulnerabilities of, and challenges facing, local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”

Computer Weekly contacted the Department of Health and Social Care for comment on this story, and was told the organisation has been working to improve its cyber security strategy since the attack.

"There is more work to do to protect data and patient care," it said in a statement. “We have supported that work by investing over £60 million to address key cyber security weaknesses - and plan to spend a further £150 million over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”