Parliamentary Committees and Public Enquiries
Faster action needed on lessons of WannaCry attack
The Public Accounts Committee report sets June deadline for update on costed plans for vital security investment.
- Read the report summary
- Read the report conclusions and recommendations
- Read the full report: Cyber-attack on the NHS
WannaCry attack a "wake-up call for NHS"
The WannaCry cyber-attack on Friday 12 May 2017, was a wake-up call for the NHS.
The attack caused widespread disruption to health services, with more than a third of NHS trusts affected. The NHS had to cancel almost 20,000 hospital appointments and operations, and patients were diverted from the five accident and emergency departments that were unable to treat them.
Yet the NHS was lucky. If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse.
Department unprepared for relatively unsophisticated attack
The Department of Health and Social Care and its arm's-length bodies were unprepared for the relatively unsophisticated WannaCry attack; they had not shared and tested plans for responding to a cyber-attack, nor had any trust passed a cyber-security inspection.
As the attack unfolded, people across the NHS did not know how best to communicate with the Department or other NHS organisations and had to resort to using improvised and haphazard ways to communicate.
The Department still does not know what financial impact the WannaCry cyber-attack had on the NHS, which is hindering its ability to target its investment in cyber security.
Work still to be done on cyber-security for next attack
Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber-security for when, and not if, there is another attack.
The recent shocking use of a nerve agent to poison those on British soil has heightened concerns about the UK’s ability to respond to international threats, and hammers home the risks from those hostile to the UK.
A cyber attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of government could also learn important lessons from WannaCry.
Comment from Committee Chair Meg Hillier MP:
"The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.
But the impact on patients and the Service more generally could have been far worse and Government must waste no time in preparing for future cyber attacks—something it admits are now a fact of life.
It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.
Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action.
I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.
Government must get a grip on the vulnerabilities of and challenges facing local organisations, as well as the financial implications of WannaCry and future attacks across the NHS.
Cyber security investment cannot be properly targeted unless this information is collected and understood.
There is much important work to do and we urge the Department to provide us with an update by the end of June.
Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready."
Latest News from
Parliamentary Committees and Public Enquiries
Committee examines fast-track Terrorist Offenders (Restriction of Early Release) Bill21/02/2020 11:25:00
The Constitution Committee has published a report on the constitutional issues raised by the Terrorist Offenders (Restriction of Early Release) Bill.
Report published on Pension Scheme Bill [HL]13/02/2020 16:10:00
The Constitution Committee has published a report on the constitutional issues in the Pension Schemes Bill [HL] 2019–21.
European Union Committee publishes twenty-first treaty report13/02/2020 13:15:00
The European Union Committee has published its twenty-first report on Brexit-related international agreements.
Should the UK continue to spring forward and fall back?12/02/2020 11:25:00
EU Internal Market Sub-Committee publishes its report on the future of clock changes.
EU Committee draws special attention to UK–Morocco agreement06/02/2020 11:25:00
The European Union Committee has published its twentieth report on Brexit-related on Brexit-related international agreements.
European Union Committe publishes its nineteenth treaty report31/01/2020 11:25:00
The European Union Committee has published its nineteenth report on Brexit-related international agreements.
Stakeholders give evidence on the future of HS2 to Committee27/01/2020 11:25:00
The Economic Affairs Committee will follow-up on its 2019 Report "Rethinking High Speed 2", examining the challenges the project faces, what the alternative options for rail investment are, and what the implications of scrapping HS2 would be.
European Union Committee publishes its eighteenth treaty report23/01/2020 11:25:00
The European Union Committee has published its sixteenth report on Brexit-related international agreements.