NHS hack just a 'taste of devastation' of major cyberattack with full cost still unknown, warn MPs

Sign up for our free Health Check email to receive exclusive analysis on the week in health

Get our free Health Check email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

The NHS is still unprepared for a major cyberattack despite receiving a “taste of the devastation” caused by a minor hack like last year’s WannaCry virus, MPs have warned.

In spite of 20,000 appointments and operations being cancelled, the House of Commons Public Accounts Committee (PAC) said today that the NHS “got lucky”, as a more sophisticated attack could take a huge toll on patient care.

The PAC warns the government has still not identified the full financial cost of the shutdown or the extent of vulnerabilities and challenges in upgrading out-of-date equipment.

This is making it impossible for NHS bosses to prioritise security improvements, health service leaders said.

The PAC’s report comes after a joint statement by UK and US security chiefs warned Russian hackers were targetting millions of devices around the world to steal information and build networks to undermine key targets.

This included infiltration of NHS targets, the UK energy grid and “basic infrastructure” such as internet service providers.

Chair of the PAC Meg Hillier MP said a second incident was only a matter of time and that the health service, and other sectors, should have acted on lessons from last year.

The WannaCry virus struck on 12 May 2017 and affected 200,000 computers in at least 100 countries, demanding a ransom to unlock the computer and prevent its information being deleted.

In the UK the NHS was hard hit because a large number of organisations are still running out-of-date Windows XP software, despite warnings about the system’s vulnerabilities.

Eighty of the 236 NHS trusts in England were either infected or shut down their systems as a precaution, and five A&E departments were unable to treat patients as a result.

There were also 595 GP practices unable to access their systems, but the spread of the virus was halted by a cybersecurity researcher finding a “kill switch”.

The impact could have been far greater if an attack had struck this winter, as NHS performance has plumbed record lows and doctors warned Theresa May patients were “dying prematurely” in corridors.

While the Department of Health and NHS heads have drawn up a plan to tackle these vulnerabilities, the PAC report warns it “does not know exactly how much the recommendations will cost or when they will be implemented”.

It also raised concerns that not a single trust has passed NHS cybersecurity testing, despite 200 inspections.

NHS Digital bosses said this was down to the stringent requirements of the test, but the report said ministers are not doing enough to help the worst trusts improve, and to ensure those unaffected by WannaCry do not get complacent.

After the attack £46m in funding was reallocated to address issues in critical parts of the NHS, such as major trauma centres and at ambulance trusts, but the government does not know the true amount required.

Because of IT specialist shortages and complex computer systems, the report warns: “Not all local bodies have the means to update and protect systems without disrupting the ongoing delivery of patient care.”

While last year’s attack “could have been far worse”, Ms Hillier said: “It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.

“This case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”

Ben Clacy, director of development and operations at NHS Providers, which represents NHS trusts, said lessons had been learned.

However, he added: “With no indication that there will be the capital available to carry out the required upgrades and changes, progress is being hampered.

“Cybersecurity must be a priority, so it is vital that the capital investment needed is protected from plugging gaps in day to day spending.”

The government said it was up to the NHS to show it has learned lessons from the WannaCry attack and, despite its improvements, admitted there was more to do.

Health Minister Lord O’Shaughnessy said: “We have supported that work by investing over £60m to address key cyber security weaknesses – and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”