WannaCry Ransomware Cyberattack

In May 2017, there was a worldwide cyberattack, known as WannaCry, which targeted computers running the Microsoft Windows operating system, encrypted data and demanded payment in Bitcoin cryptocurrency. The attack impacted organisations in a wide range of countries, including the NHS.
 
The cyberattack directly affected the provision of services in 34% of hospital trusts in England and 8% of GP practices. Although there were no reports of harm to patients or of patient data being compromised or stolen, the cyberattack severely impacted patient care, as trusts diverted ambulances and cancelled appointments, for example.

Lessons learned review

The Department of Health and Social Care’s Data Security Leadership Board commissioned Will Smart, the Chief Information Officer for Health and Social Care, to undertake a review considering the lessons that could be learned and recommendations to mitigate against a similar cyberattack impacting the health and care system in the future.

The Lessons learned review, published in February 2018, outlined progress since the cyberattack and made 22 recommendations for strengthening the NHS’s cyber security. Several recommendations related to improving leadership and accountability on cybersecurity issues at national and local levels, for example the appointment of a data security lead on every NHS Board.

NHS action on cybersecurity

The NHS national leadership took several actions on cybersecurity in 2017/18, for example:

• the government reprioritised £21m in funding to upgrade firewalls and network infrastructure in major trauma centres and ambulance trusts, and set aside £25m of capital funding in 2017/18 to support trusts that were non-compliant against high severity CareCERT alerts
• the Department of Health and Social Care signed a deal with Microsoft to enable NHS organisations to upgrade to the more robust Windows 10 operating system for trusts
• the Department of Health and Social Care announced a £150m investment in cybersecurity over 3 years
• NHS Digital went to market for a supplier to build a new NHS cybersecurity centre to centralise cybersecurity services.

Scrutiny from the PAC

However, in its report published in April 2018, the House of Commons Public Accounts Committee expressed concerns that plans to implement the Lessons learned review’s recommendations had not yet been agreed and there was more to be done to improve cyber security in the NHS.

The report described the 2017 cyberattack as ‘a wake-up call for the NHS’ and stated that the Department of Health and Social Care had been ‘unprepared’, given that there had not been a tested plan for responding to such an attack.