BillionPhotos.com - Fotolia

NHS WannaCry review highlights need for accountability and skills

Lessons-learned report on ransomware attack calls for local NHS organisations to put cyber security bosses on their boards and consider suspending IT access to staff who have not completed cyber security training

A review of lessons learned from the WannaCry ransomware attack has called for both local NHS organsiations and national bodies to improve their cyber security skills and resilience.

The report, by health and social care CIO Will Smart, highlights the need for improvement across the health and care sector, and echoes the National Audit Office report published last year by saying the attack could have been prevented had the NHS followed basic IT security best practice.

The NHS report said the health service must ensure that “when”, not “if”,  another cyber attack happens, the “the health and care system nationally, regionally and locally is equipped to withstand and respond to cyber attacks in an effective manner which minimises disruption to services and, most importantly, impact on patients”.

The WannaCry attack, in May 2017, was not specifically targeted at the NHS, but health organisations in England were hit hard, including 80 hospital trusts – one-third of all trusts in England. More than 600 primary care organisations were also affected.

One of the key reasons the NHS was affected so badly by the attack was the lack of patching of systems within trusts. None of the 80 trusts had applied the latest patch, despite being advised to do so by NHS Digital in April 2017.

A number of the organsiations affected were not necessarily subject to the attack, but chose to shut down their systems or email as a precaution, due to not having the skills to know what to do, or having received any advice.

The report, which sets out 22 recommendations to local and national NHS organisations, called for all of them to ensure they “have sufficient quality and capable IT technical resources to manage and support their local IT infrastructure, systems and services”, and that this should be formalised through sustainability and transformation plans.

It also called on all NHS organisations to make sure that every single board has “an executive director as data security lead, cyber security risks are regularly reviewed by the board, appropriate countermeasures are in place to mitigate and response plans are in place to address service restoration in the event of a successful attack”.

Read more about WannaCry and the NHS

Although not an official recommendation, it also called for organisations to “consider whether access to IT systems and services should be removed from members of staff who have not successfully completed this mandatory training”.

It also asked NHS organisations to look at how their IT estate is managed, and whether staff have the proper qualifications and resources in place.

Boards should consider whether these services could be provided more effectively by third-party organisations and should “regularly assess their organisations’ IT management, cyber capability and capacity”, the report said.

The report added that one of the key challenges identified during the cyber attack was the NHS’s reliance on “third-party suppliers for the management and support of equipment”, particularly diagnostics equipment, and that organisations must ensure the right processes and controls are in place for third-party IT systems.

On a national level, the report called for NHS Digital to appoint a chief information and security officer (CISO) to report directly to NHS CIO Will Smart. “The CISO must be appointed by the end of the first quarter of the 2018/19 financial year,” the report said.

“The role will lead national cyber working groups, help inform policy and drive improvements and standardisation. In addition, it is recommended that NHS Digital appoints a dedicated cyber security lead working across NHS England, NHS Improvement and other partners such as local government in each of the NHS England regions.”

Cyber investment

The NHS has produced a “cyber handbook” in response to the lessons learned from the WannaCry attack, which sets out “the roles and responsibilities of national bodies, ensuring the clarity of ownership of each part of the system and the responsibilities of the relevant organisations”.

The government has already “reprioritised” £21m from the Personalised Health and Care 2020 programme, originally intended for ambulance trusts and trauma centres, and put it towards cyber preparedness for organisations. It has also identified a further £25m of capital funding for the 2017-18 financial year to be given to trusts that are non-compliant against NHS Digital’s CareCERT alerts, and is currently looking at cyber security funding for the next two financial years.

As part of this, an initial £150m has been identified for “continuing investment in local infrastructure as well as national systems and services to improve monitoring, resilience and response”, the report said.

So far, 190 cyber assessments of NHS trusts have been undertaken since the attack, according to the report. It said that as well as the capital funding available, organisations need more money allocated to areas such as “addressing weaknesses in their infrastructure to secure networks by upgrading firewalls, improving network resilience and segmentation to minimise the risk to medical, improving device security through device replacement and automation of patch management, and improving anti-virus protection”.

Read more on Healthcare and NHS IT