Report from MPs says that, a year on from the cyberattack, government and the NHS must now take action

Almost a year on from WannaCry, the Public Accounts Committee has expressed is alarm at how little action has been taken “to improve cybersecurity for when, and not if, there is another attack”.

In February, NHS England and the Department of Health and Social Care published a review of the lessons that have been learned from the WannaCry attack. A PAC report published today expressed concern that, more than 11 months after the ransomware assault, these lessons have yet to translate into the necessary implementation initiatives. 

MPs have instructed the department and the wider NHS to formalise an action plan and report back to the committee by the end of June.

PAC said: “The department and its national bodies should urgently consider and agree implementation plans arising from the recommendations within their Lessons Learned… document, prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities, and oversight arrangements are clear.”

MPs added that the plans should include details of likely financial cost, and must make clear what NHS bodies at both a national and local level should do during a cyberattack – including setting out arrangements for various communications channels if email, for example, is compromised. Central government should also support local NHS entities in rolling out cybersecurity improvements, the committee said.

Related content

• NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
• Major cyberattack on UK likely in next two years, warns NCSC chief
• Sheffield NHS trust ICT chief: ‘WannaCry was opportunistic; a concerted attack is what keeps me awake at night’

This help should include a clear plan for “how local systems can be updated whilst minimising disruption to services, and [providing] guidance and support to do this”. All suppliers of IT and medical technology should also hold some form of cybersecurity accreditation, MPs said, while NHS staffing plans at both a local and national level ought to “include a focus on IT and cyber skills”.

In implementing these recommendations, the department is encouraged to work closely with the Cabinet Office and the wider civil service, as well as the National Cyber Security Centre.

PAC chair Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cybersecurity and response plans of the NHS. But the impact on patients and the service more generally could have been far worse, and government must waste no time in preparing for future cyberattacks—something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

A spokesperson for the Department of Health and Social Care said: “Every part of the NHS must be clear that it has learned the lessons of Wannacry. The health service has improved its cybersecurity since the attack, but there is more work to do to protect data and patient care.

“We have supported that work by investing over £60m to address key cybersecurity weaknesses – and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”