On Friday 12 May 2017, the NHS was hit by the WannaCry cyber attack. 80 out of 236 hospital trusts across England were affected in some way, and 595 out of 7,454 GP practices. 6,912 appointments and operations were cancelled. In total, 1% of NHS activity was directly affected by the WannaCry attack.
While no patient data was compromised during the attack, it demonstrated the vulnerabilities of IT systems in the NHS. The NHS Chief Information Officer, Will Smart has just published a review of the WannaCry attack and the NHS response. He concludes that “it is not a question of “if” but “when” the next cyber attack occurs.”
The review sets out the lessons learned, and makes a number of recommendations to ensure the health and social care system is better prepared to withstand and to respond to future incidents.
It describes the roles, responsibilities, and accountabilities of local and national NHS organisations in the event of a cyber attack, and emphasises the importance of strong board leadership. The review recognises the importance of examining the implications of cybersecurity for social care organisations and provides a reminder of the data security standards developed by the National Data Guardian (NDG) in July 2016 to reduce IT vulnerabilities. The review also summarises recent investments that have been made to strengthen resilience, including £21 million in Major Trauma Centres and Ambulance Trusts and £25 million to support at risk organisations.
In 2014, an Ipsos MORI survey of 2,000 people in 2014 found that people trusted the NHS and GPs more than any other organisation to keep data safe – higher than banks, supermarkets, and government. It would be interesting to see whether the WannaCry attack has changed that perception.
Others have also been examining cybersecurity in the NHS. The National Audit Office investigated the NHS response to the WannaCry attack, concluding that “the NHS need to get their act together to ensure the NHS is better protected against future attacks”.
The Public Accounts Committee has a related inquiry, and this week took evidence from Simon Stevens, Chief Executive, NHS England, Sir Chris Wormald, Permanent Secretary, Department of Health, Jim Mackey, former Chief Executive, Will Smart, Chief Information Officer, NHS Improvement, and Rob Shaw, Deputy Chief Executive, NHS Digital.
During the session, it was reported that none of the 200 Trusts that have been assessed, either before or after WannaCry, have yet met the new cybersecurity standards, ‘which is a high bar’. The witnesses also summarised the measures that are being taken to improve resilience and agreed further action is needed.
The consequences of a cyber attack could be much worse another time. If nothing else, WannaCry has raised awareness the cybersecurity is essential for patient safety.
While there are risks with using IT systems in hospitals, there are also huge benefits for patients and clinicians if the whole care team can access up-to-date information using integrated electronic records to provide the best and safest care. There are too many examples where appointments have been wasted, or even lives have been lost, because paper records have not been available to the right people at the right time.
The key thing will be to ensure that the risks from using IT systems are made as low as practicably possible. Patients need to be confident that the benefits outweigh the risks. The NHS needs to be given adequate resource to step up efforts with cybersecurity and to take every possible step to strengthen the resilience of NHS IT systems.