£175m diverted to protect NHS from digital threats

NHS England’s review, published today, of the WannaCry cyberattack in May 2017 said a “rigorous reprioritisation” of £175m of technology funding was underway and “further reprioritisation and additional investment for cybersecurity are being looked at”.

The first £25m of this money would be spent in 2017-18 to help trusts assess their vulnerabilities to a cyberattack. The rest will be spent through to 2020-21.

Money will be spent on improving trusts’ IT systems and central agencies’ ability to respond to and detect threats.

In addition, local organisations will “need to commit local capital and revenue funding to maintain and refresh their own IT estates, including ensuring that these are operating on supported versions of software”.

In December, NHS England chief information officer Will Smart, who wrote the review, told an NHS Improvement committee that overall the NHS needed to spend £1bn on cybersecurity.

However, this figure was omitted from today’s report. NHS England said the figure was part of an “early draft” and did not account for existing spending.

Sources told HSJ the £1bn number came from of an external report commissioned as part of the review and there was considerable debate regarding its exclusion.

NHS England and the Department of Health and Social Care are in discussions with the Treasury about securing extra funding for cybersecurity.

On 12 May last year, the WannaCry ransomware virus disrupted services at 80 trusts and hundreds of GP practices, and resulted in the cancellation of thousands of appointments and operations.

A Windows security update, which would have protected trusts from the virus, was released weeks before but many trusts – including all those infected – had not applied it.

The review said the “NHS responded well to what was an unprecedented incident, with no reports of harm to patients or of patient data being compromised or stolen”.

However, it also said there needed to be a change in “mindset” in the health service, which prioritised meeting the threat of future attacks.

The report added: “WannaCry has made clear the need for the NHS to step up efforts with cybersecurity so that every possible protection is taken to defend against a future attack.”

Several new cybersecurity support measures, requirements and regulatory powers were announced in the wake of WannaCry.

These included a new agreement with Microsoft allowing trusts to move from older, more vulnerable versions of Windows; £21m of capital to protect major trauma centres; requirements for trust boards to have a cybersecurity plan; and a data security element to inspections.

The review recommended the creation of a national chief information and security officer; the development of region-wide health business continuity plans; more training; and giving NHS Digital the power to isolate infected local NHS networks.

The Commons public accounts committee is holding an inquiry into impact of the WannaCry attack on the NHS, with NHS England, the DHSC and other agencies scheduled to appear at a committee session on Monday.