This article is more than 1 year old

NHS given a lashing for lack of action plan one year since WannaCry

Cyber resiliency of the UK's health service still in disarray

Nearly a year has passed since the unprecedented WannaCry cyber attack and the UK's NHS has yet to agree an action plan, according to a report by MPs.

Following the incident last June, which caused 20,000 hospital appointments and operations to be cancelled, a Lessons Learned review was published with 22 recommendations for strengthening the NHS's cyber security.

However, implementation plans have yet to be agreed, while the Department of Health does not know exactly how much the recommendations will cost or when they will be implemented, the Public Accounts Committee report found.

It added that some NHS organisations still have a lot to do to improve their cyber security including Barts Health NHS Trust, one of the largest affected by WannaCry.

200 NHS trusts have failed an on-site assessment for cyber security resilience, MPs previously heard.

That was apparently because "a high bar" had been set for NHS providers, although some trusts failed purely because they had still not patched their systems – the main reason the NHS had been vulnerable to WannaCry.

Committee chair Meg Hillier said: "The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.

"But the impact on patients and the service more generally could have been far worse and government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.

"It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed."

NHS hosptial photo, by Marbury via Shutterstock

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told


She added: "I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment."

Cyber security investment cannot be properly targeted unless this information is collected and understood, she said.

"There is much important work to do and we urge the Department to provide us with an update by the end of June.

"Meanwhile, this case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready."

Immediately following the WannaCry attack, the department reprioritised £21m in funding to address key vulnerabilities in major trauma centres and ambulance trusts, while a further £25m was allocated for 2017/18 to support organisations most vulnerable to cyber security risks.

The report recommended the Department of Health should provide an update by June on its national estimate of the cost to the NHS of WannaCry and how national bodies should target investment appropriately in line with service and financial risks.

It also said the department and its arm's-length bodies should support local organisations to improve cyber security and be ready for an attack by developing a full understanding of the security arrangements and IT estate of all NHS organisations.

In addition, the department should: set out how local systems can be updated while minimising disruption to services; ensure all IT suppliers are accredited and that local and national contracts include standard terms to protect the NHS against cyber attacks; and that local and national workforce plans include a focus on IT and cyber skills. ®

More about


Send us news

Other stories you might like