show image

Government unveils £150m NHS security package – but still no timeline for WannaCry recommendations

The government has unveiled a £150m spending package aimed at bolstering the NHS’s cyber defences, in a bid to protect the health service from another WannaCry-style attack.

The investment will fund the implementation of 22 recommendations drawn up in light of WannaCry, but, nearly 12 months on from the attack, the government is yet to confirm when they will be put into practice.

NS Tech understands the Department for Health and Social Care is in the process of writing the business case for the recommendations, before presenting the specifics to Downing Street.

Earlier this month, Meg Hillier, chair of the Public Accounts Committee, described the government’s slow progress on addressing the lessons of WannaCry as “alarming”. “Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.”

In addition to the funding package, the NHS has also struck a “multi-million pound” deal with Microsoft to upgrade its computer networks to Windows 10, which features better cyber security tools, such as Windows Defender.

Some NHS trusts were particularly susceptible to WannaCry last May because they were running Windows XP, an operating system so old it was no longer supported by Microsoft and, as such, could be not be patched. However, the majority of trusts that were hit had been running newer operating systems. They fell victim to the virus because they had not installed a patch made available by NHS Digital.

Professor Alan Woodward, a cyber security expert at the University of Surrey, said that while the new technology was welcome, it was critical that hospital trusts and GP practices were given greater support for installing new software.

“There’s a big focus on technology but not on people,” he told NS Tech. “What was the problem with WannaCry? It’s not that the software was vulnerable; they didn’t have the people to put the fixes in. You need people at the coalface.”

Andy Norton, director of threat intelligence at Lastline, added: “This deal does not address the problem of legacy apps that won’t run on windows 10. Nor does it solve the user case of WannaCry; [unpatched versions of] Windows 10 were still vulnerable.”

NHS Digital said that guidance would be provided to trusts on the migration process and that more than 100,000 NHS devices had already been upgraded to Windows 10.

Jeremy Hunt, the health secretary, said it is vital the public can trust NHS systems: “We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS against this threat.”

He added: “This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”