The NHS was unprepared for the 2017 WannaCry cyber-attack and plans for improving cyber security across the health service are far from complete, a report by the House of Commons Public Accounts Committee (PAC) has found.
The report found communications between NHS organisations during the attack on 12 May 2017 were not co-ordinated and there were no alternative communication methods available when email had to be turned off.
The attack, which used malicious ‘ransomware’ called WannaCry, attacked the IT systems of approximately one-third of trusts in England and 13 NHS organisations in Scotland. WannaCry locked computers and demanded a ransom to unlock them, but could have had a more serious impact “if it had not happened in the summer, or on a Friday, or had the kill switch not been discovered so soon by a cyber security researcher”, the report said.
Routine surgery and GP appointments were cancelled across the NHS as a result of the attack and pharmacists had to abandon use of the NHS spine, which meant they had no access to electronic prescriptions, summary care records or trackers. The national broadband network for the English NHS was also considered unsafe to use during the attack.
The PAC report found local NHS organisations did not know who to report the attack to, and as a result contacted numerous agencies, including local police forces.
It said: “The Department [of Health and Social Care] and its national bodies know more [now] about preparedness, but still have much more to do to support trusts to meet required cyber security standards and to respond.”
The Department of Health and Social Care has since produced a handbook on the approach and actions that should be taken by NHS organisations in the event of another cyber-attack.
The PAC said it wanted an update on NHS organisations’ progress by the end of June 2018.