MPs tell DHSC to raise game on cyber security

Public Accounts Committee report highlights shortcomings of NHS at the time of WannaCry cyber attack

A committee of MPs has called on the Department for Health and Social Care (DHSC) to give more support to local organisations to improve their cyber security, to improve emergency communications and step up accreditation of IT devices used in healthcare.

The Public Accounts Committee (PAC) has made the recommendations in its report on the response to last year’s WannaCry ransomware attack, which caused severe IT disruption in the health service.

Aerial view of Houses of ParliamentIt says the Department of Health and Social Care (DHSC) and arm’s length bodies were unprepared for what was a relatively unsophisticated attack.

The criticisms follow an earlier report by the National Audit Office that said the department could have done more in advance to prevent WannCry affecting so many trusts.

A prime recommendation of the report is that the DHSC and arm’s length bodies should set out how local systems can be updated while minimising disruption to services, and provide relevant guidance and support.

They should also ensure that all IT and medical equipment suppliers to the NHS should be accredited, with local contracts including standard terms to protect devices and systems from cyber attack. In addition, local and national workforce plans should include a focus on IT and cyber skills.

Roles and responsibilities

Other recommendations include the setting out of clear roles and responsibilities to coordinate communications during a cyber attack, and to provide secure alternative channels for when email, for example, is unavailable.

The DHSC and its arm’s length bodies should also develop a full understanding of the cyber security arrangements and IT estate of all local NHS organisations.

Among the failings at the time of the attack identified in the report are that most bodies had not shared and tested plans for a response to a cyber attack and no NHS trust had passed a cyber security inspection.

Many had not taken effective action to manage firewalls or segment networks to bolster security, and they suffered from a national shortage of skilled cyber security staff.

As the attack unfolded, people across the NHS did not know how best to communicate with the department or other organisations and had to resort to using improved and haphazard ways of speaking with each other.

Financial question mark

In addition, the DHSC still does not know the full financial impact of WannaCry on the NHS, which is hindering its ability to target its investment in cyber security. The department already had plans to invest £50 million in cyber security up to 2020, but has now added another £150 million for monitoring and response services, £21 million to deal with key vulnerabilities in major trauma centres and ambulance trusts, and £25 million to support the most vulnerable organisations.

The report says it should provide an update on the national costs to the committee by the end of June.

PAC chair Meg Hillier MP said: “"The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.

“But the impact on patients and the service more generally could have been far worse and Government must waste no time in preparing for future cyber attacks — something it admits are now a fact of life.

“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

Image by Paul Clarke