show image

NHS WannaCry strike blamed on lack of accountable security professionals

WannaCry ransomware forced NHS staff to cancel thousands of appointments and operations last month. But the Chartered Institute for IT has claimed in a new report that the attack could have been averted, if trusts had spent more time skilling up their staff and working with accredited security experts.

“The [strike] was bound to happen, it was just a matter of when,” said David Evans, the institute’s director of policy. “Whilst doing the best with the limited resources available, it is clear that some hospital IT teams lacked access to trained, registered and accountable cyber-security professionals with the power to assure hospital Boards that computer systems were fit for purpose.”

The institute has now joined forces with the Patients Association and Royal College of Nursing to publish a list of steps NHS trusts should take to minimise the risk of another attack.

A call for clear standards for accrediting relevant IT professionals tops the agenda. The report urges NHS boards to ensure they understand their responsibilities and how to make use of experts.

A spokesperson for the Department for Health declined to comment on the report, but the government is expected to issue a response to Dame Fiona Caldicott’s review of data security and privacy in the NHS shortly.

Following the WannaCry attack last month, Labour MP Jonathan Ashworth, who represents Leicester South, asked Jeremy Hunt to comment on the steps he is taking to improve cybersecurity in the NHS.

Jackie Doyle-Price, who was a junior health minister at the time, replied:

Cyber resilience in the health and care system is an issue that the Government takes very seriously. 

We have changed the National Health Service standard contract to include, from April 2017, cyber security requirements.

Evidence shows that the use of unsupported systems is continuing to reduce in health and care, as organisations replace older hardware. Latest estimates suggest the usage of Windows XP in the NHS has reduced from 15-18% at December 2015, to 4.7% of systems currently.

The 12 May 2017 ransomware incident affected the NHS in the United Kingdom. It is standard practice to review any major incident in the NHS. Further, the Chief Information Officer for health and care is undertaking a review into the May 2017 cyber-attack which is expected to conclude in the autumn.

The identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000. These costs were borne by NHS Digital and NHS England from internal budgets. Information relating to any expenditure incurred by individual local NHS trusts or other NHS organisations is not collected centrally.

We do not comment more widely on matters of security.