MPs have slammed the NHS for failing to agree on its plans to help prevent another WannaCry, nearly a year after the ransomware attack caused widespread disruption.
The Public Accounts Committee (PAC) has set a June deadline for an update from the health service on estimated costs for the vital cybersecurity investment needed to protect its systems going forward.
A National Audit Office report from October revealed that an estimated 19,000 operations and appointments had to be cancelled as a result of WannaCry, which disrupted 34% of NHS England Trusts, and caused infections at a further 603 primary care and other NHS organizations, including 595 GP practices.
The PAC said that although the NHS and Department of Health had learned lessons from the attack, there’s a “lot of work to do” to improve cybersecurity. It cited the recent Russian nerve agent attack as highlighting the escalating threat from hostile nations.
PAC chair, Meg Hillier, said it was “alarming” that plans to implement the lessons learned are still to be agreed, nearly a year after WannaCry.
“Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action. I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment,” she said.
“Government must get a grip on the vulnerabilities of and challenges facing local organizations, as well as the financial implications of WannaCry and future attacks across the NHS. Cybersecurity investment cannot be properly targeted unless this information is collected and understood.”
Rob Bolton, general manager of Western Europe at Infoblox, said that specialized legacy equipment and software is holding up the migration to newer, more secure operating systems.
“For example, in our recent survey of healthcare IT professionals, nearly one in five healthcare IT professionals reported that medical devices on the network are currently running on Windows XP – which is no longer supported by Microsoft, thereby introducing potential vulnerabilities – while 7% couldn’t even identify what system their medical devices are running on, meaning that they are unable to patch them,” he added.