An NHS Improvement committee has recommended that trusts are assessed on cybersecurity, in the wake of the cyberattack earlier this month.

The regulator’s technology and data assurance committee met three days after the attacks on 12 May. Minutes of the meeting, published on Thursday, said there were questions as to where accountability sat in the system.

Ed smith

Ed smith

Ed Smith said ‘some people did some things that hindered a quick solution’

The minutes said: “A discussion took place on ensuring appropriate accountability for the management of cybersecurity risk. The role of NHS Improvement as a regulator was considered alongside the role of NHS provider boards and leadership teams.

“The committee considered that this needed to be explicitly included under the ‘well led’ heading of the single oversight framework for providers. The importance of regular training and education of staff was also noted.”

NHS Improvement discussed a paper on cybersecurity in private on Thursday afternoon and chief executive Jim Mackey said the fallout from the cyberattack was likely to continue for a few months.

Mr Mackey told the regulator’s board meeting: “The incident pointed out some gaps in who does what. We are trying to make sure those gaps are filled in the future.

NHS Improvement chair Ed Smith said: “Some people did some things that hindered a quick solution.”

HSJ understands the regulator was not as involved in coordinating the response to the hacking as it could have been.

Mr Mackey and Mr Smith praised the response of staff in the wake of the cyberattack, which led to cancelled operations across the NHS.

Mr Mackey pointed to one region where trusts coordinated their own response, supporting one another across STP boundaries.

A report into how the NHS responded to the incident is expected later in the year.

Mr Mackey said disaster response plans for other kinds of events, like significant road traffic accidents, were already in place, while Mr Smith said plans for response to another cyberattack would be “tested to destruction”.

The minutes also said: “The link between computers and medical devices was considered [and] consideration was given to strategies which could be put in place to improve the resilience of NHS organisations to future cyberattacks.

“The importance of ensuring that ‘patches’, which addressed areas of vulnerability in software, were installed by providers was highlighted. The committee also discussed the need for investment in the upgrading of software.”