• Local NHS leaders reminded to take steps to improve cybersecurity
  • Letter follows concerns Russian cyberattack could target UK infrastructure
  • Review after WannaCry attack found more than 200 organisations did not meet standards

NHS trust leaders have been told to shore up their cyber defences amid increased fears of a state sanctioned attack against the UK.

A letter, seen by HSJ, has been sent to trust chief executives and commissioning support unit heads reminding them of steps to improve cybersecurity following “media reports of the increased threat of cyberattacks affecting the UK”.

Cyber wannacry

The NHS was hit by the WannaCry ransomware attack in May 2017

HSJ understands the letter was prompted by concern that Russia could target UK infrastructure, including the NHS, with cyberattacks in retaliation for air strikes by British forces in Syria.

The letter is signed by NHS chief information officer Will Smart and NHS Digital deputy chief executive Rob Shaw.

It said: “We would also like to take this opportunity to remind you of the following key recommendations for NHS providers set out in the lessons learned review of the WannaCry ransomware cyberattack.”

Areas of focus include:

  • All NHS organisations should ensure they have an executive director as data security lead.
  • Boards should be assured they have sufficient quality and capable technical resources to manage and support their local IT infrastructure, systems and services.
  • Organisations should ensure their staff receive regular and targeted cyber and information security awareness training.
  • NHS providers should ensure relevant parties in their organisation receive CareCERT threat intelligence alerts form NHS Digital and other alert systems.
  • All NHS organisations should develop local action plans to achieve compliance with cyber standards by June 2021.

It is nearly a year since the NHS was hit by the global WannaCry ransomware attack.

More than 80 NHS trusts and hundreds of GP practices were disrupted by the virus, leading to ambulance diversions and thousands of appointments being cancelled.

On Tuesday, a Commons public accounts committee report said the NHS needed to move faster to close cybersecurity holes in the preparation for the next attack.

At a committee hearing in February, Mr Shaw said none of more than 200 NHS organisations assessed since WannaCry were meeting the necessary cybersecurity standards.

HSJ understands an additional £63m of central funding was spent on cybersecurity in 2017-18 in response to WannaCry and NHS England and the Department of Health and Social Care are in talks with the Treasury about further funding.

NHS Digital head of security Dan Taylor said: “Our role is to ensure that health and care organisations are equipped to make good decisions about their own cybersecurity. One way we do this is by sharing best practice and by sending regular reminders to organisations. Our aim is that cybersecurity becomes as much a part of every organisation’s regular strategic thinking as hygiene or bed management.

“This letter is simply a reminder to support NHS organisations and to ensure they understand where to come for additional guidance and how to embed security into their day to day practice.”