The NHS and Department of Health have been criticised by MPs for not taking enough action to improve cyber security measures following 2017’s WannaCry incident.

A report published today by the Public Accounts Committee has raised concerns about the pace at which lessons learned from the ransomware incident were being put into action.

Meg Hillier, chair of the PAC, said it was “alarming” that plans to implement Will Smart’s 22 recommendations had not been agreed upon nearly one year on.

The outbreak of WannaCry in May last year affected one third of NHS trusts in England, leading to the cancellation of thousands of appointments and operations as staff were locked out of devices and IT systems.

In February 2018, a joint report by NHS England and NHS Improvement outlined 22 recommendations to be implemented by NHS organisations to make them better-prepared to manage cyber security incidents.

However, at a Public Accounts Committee (PAC) hearing later that month, NHS Digital deputy CEO Rob Shaw revealed that 200 NHS trusts had failed cyber security checks carried out in the wake of WannaCry.

When asked at the time about its plans for implementing its lessons learned recommendations, NHS England was unable to offer an estimated cost or time-frame.

Today’s report concluded there is “a long way to go” before agreed plans for improving cyber security were in place across the NHS.

It called on the Department of Health and Social Care (DHSC) to publish an estimate of the financial impact of the disruption by the end of June 2018, something NHS England has previously implied it would not do.

The report (published on 18 April 2018) read: “The Department and its national bodies should urgently consider and agree implementation plans arising from the recommendations within their lesson learned document, prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities and oversight arrangements are clear.”

‘We learned a lot’

NHS Digital welcomed the recommendations and said it would continue working with partners to implement them.

In an email to Digital Health News, a spokesperson pointed to a number of post-WannaCry initiatives designed to better equip NHS organisations from cyber-attacks, including its recent threat alert service agreement with Microsoft.

NHS Digital has also increased investment in its security operations centre and is currently on the lookout for a partner to help it deliver enhanced threat detection services to healthcare organisations.

Dan Taylor, associate director of NHS Digital’s data security centre, said: “We learned a lot during WannaCry and have made significant progress in further expanding and improving our role, alerting NHS organisations to known cyber security threats and advising them of appropriate steps to take to minimise risks and the impact on essential front-line services.”

A spokesperson for the Department of Health and Social Care said “every part of the NHS must be clear” that it had learned the lessons of Wannacry.

“The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care,” they said.

“We have supported that work by investing over £60 million to address key cyber security weaknesses – and plan to spend a further £150 million over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”