Government’s lack of action on WannaCry is ‘alarming’ – PAC

Written by Sam Trendall on 18 April 2018 in News
News

Report from MPs says that, a year on from the cyberattack, government and the NHS must now take action

Almost a year on from WannaCry, the Public Accounts Committee has expressed is alarm at how little action has been taken “to improve cybersecurity for when, and not if, there is another attack”.

In February, NHS England and the Department of Health and Social Care published a review of the lessons that have been learned from the WannaCry attack. A PAC report published today expressed concern that, more than 11 months after the ransomware assault, these lessons have yet to translate into the necessary implementation initiatives. 

MPs have instructed the department and the wider NHS to formalise an action plan and report back to the committee by the end of June.

PAC said: “The department and its national bodies should urgently consider and agree implementation plans arising from the recommendations within their Lessons Learned… document, prioritising and costing actions, setting a clear timetable, and ensuring national and local roles, responsibilities, and oversight arrangements are clear.”

MPs added that the plans should include details of likely financial cost, and must make clear what NHS bodies at both a national and local level should do during a cyberattack – including setting out arrangements for various communications channels if email, for example, is compromised. Central government should also support local NHS entities in rolling out cybersecurity improvements, the committee said.


Related content


This help should include a clear plan for “how local systems can be updated whilst minimising disruption to services, and [providing] guidance and support to do this”. All suppliers of IT and medical technology should also hold some form of cybersecurity accreditation, MPs said, while NHS staffing plans at both a local and national level ought to “include a focus on IT and cyber skills”.

In implementing these recommendations, the department is encouraged to work closely with the Cabinet Office and the wider civil service, as well as the National Cyber Security Centre.

PAC chair Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cybersecurity and response plans of the NHS. But the impact on patients and the service more generally could have been far worse, and government must waste no time in preparing for future cyberattacks—something it admits are now a fact of life. It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

A spokesperson for the Department of Health and Social Care said: “Every part of the NHS must be clear that it has learned the lessons of Wannacry. The health service has improved its cybersecurity since the attack, but there is more work to do to protect data and patient care.

“We have supported that work by investing over £60m to address key cybersecurity weaknesses – and plan to spend a further £150m over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”

About the author

Sam Trendall is editor of PublicTechnology

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

High court gives government six months to amend data-retention law
27 April 2018

Both the government and human rights group Liberty claim victory after judges agree that the so-called snoopers' charter is incompatible with EU legislation 

NCSC picks IoT, cloud, and cryptojacking among UK plc’s biggest future threats
10 April 2018

Cybersecurity agency issues report looking forward to coming dangers and back at year in which DDoS and ransomware hogged the headlines

IR35 reforms have had ‘little impact on projects or vacancy-filling’, says HMRC
19 May 2018

Changes to the legislation made last year – which had been expected to have a big impact on IT contractors – have also brought in £410m in extra revenue, the tax agency claims

Related Sponsored Articles

Building trust in the digital age
15 May 2018

BT argues that the digital age requires a certain level of trust in technology. But how can we establish this and still make the most of digital transformation?

GDPR compliance as a detox exercise
8 May 2018

BT's Mike Pannell argues that organisations should get rid of data they no longer need

The Grief of GDPR Compliance
23 April 2018

Sean Luke, BT's CIO for the Universities Sector, on the strange parallels between GDPR readiness and grief