NHS Digtal’s interim chief executive has defended the organisation’s performance in the wake of last month’s cyber-attack, saying it responded quickly to help infected trusts.
On Wednesday, in his first report to the NHS Digital board since the 12 May WannaCry ransomware attack, Rob Shaw said the organisation issued a targeted bulletin to trusts on the day of the attack ”as soon as we received clear, corroborated intelligence”, outlining how to respond to malware infection and prevent the virus spreading.
“It was obviously paramount to have clear, substantiated evidence of the issue and an accurate understanding of what steps were best to take before communicating with organisations, in order to ensure there was no misinformation and that organisations could act as quickly as possible to resolve any issues,” he said.
The attack, which disrupted hundreds of organisations worldwide, infected at least 47 NHS trusts and led to the cancellation of thousands of planned appointment and operations.
While most trusts infected in the attack are now running normally, questions remain about how the virus penetrated NHS IT systems and the extent to which ageing IT infrastructure and patchy cyber security practises contributed to its spread.
Mr Shaw said within an hour of the basic details of the attack being confirmed, NHS Digital had set-up a specialist helpline.
During the immediate response 45 NHS Digital staff were involved in supporting affected trust, along with 14 consultants and IT supplier staff.
Mr Shaw’s comments came after a NHS Improvement board meeting, reported by HSJ last week, in which chief executive Jim Mackey said there were “gaps in who does what” in the immediate aftermath of the cyber-attack. NHSI chair Ed Smith said: “Some people did some things that hindered a quick solution.”
During a NHS England board meeting last Thursday, chief executive Simon Stevens said there had been ”some very effective work took place in response” to probably the first national cyber attack on the NHS.
However, there were a “number of lessons” that government agencies involved, including NHS Digital, NHS England and NHS Improvement, needed to take from the response, he said.
“There is work, under the leadership on NHS Digital and colleagues, that we will be needing to take, as a system, over the course of the next several weeks and months.”
Speaking to the NHS Digital board on Wednesday, Mr Shaw also said there was some “inaccurate” speculation about forewarning of the ransomware attack.
However, he did confirm that NHS Digital was first informed of link between “a specific threat” and a patch released by Microsoft to close security vulnerabilities in Windows on 24 April, 19 days before the attack.
NHS Digital alerted trusts to this link, and the patch to close the vulnerability, on 25 April and again on 28 April, Mr Shaw told the board
Mr Shaw said NSH Digital was still working with National Cyber Security Centre to establish the cause of ransomware attack.
”Since the attack happened we have been talking a number of further steps. We continue to work very closely with the National Cyber Security Centre and partner bodies to support NHS organisations.”
“Speculation” that national NHS IT systems managed by NHS Digital, such as the NHS Spine or N3 Network, were infected were also incorrect, he said.
An NHS Digital spokeswoman said there would be an internal review of its own approach to the attack and “lessons learnt”. She said: “Expect future developments through summer.”
While the National Crime Agency and National Cyber Security Centre are leading an ongoing criminal investigation, government health agencies have yet to announce any formal external review of the impact and response to the biggest ever cyber-attack on the NHS.
A Department of Health spokesman directed HSJ’s inquiries about a possible formal review to National Cyber Security Centre. A National Cyber Security Centre spokesman said no formal review was being conducted, and the criminal investigation did not specifically focus on the impact or response in the NHS.