• NHS England issues warning to all organisations to be on guard
  • Sloman tells trusts: IT systems must be “patched, protected, and immutable backups put in place”
  • Further technical guidance due “this week”

NHS organisations have this evening been asked to strengthen their defences against cyber attacks, following Russia’s invasion of Ukraine.

NHS England cautioned trusts to ensure their IT systems are “patched and protected, and that immutable backups are in place”. Further guidance will be issued to technical teams “this week”, according to the email to trusts leaders this evening.

NHSE chief operating office Sir David Sloman’s email said: “Following Russia’s further violation of Ukraine’s territorial integrity, the National Cyber Security Centre has called on organisations in the UK to bolster their online defences.

“Further guidance will be issued to NHS technical teams this week, and we ask that leaders support their teams to undertake priority activities to further strengthen cybersecurity resilience.”

Sir David added: “NHS leaders should confirm with their local teams that systems are patched and protected, and that immutable backups are in place. The [NCSC] has issued guidance for organisations to take during periods when the cyber threat is heightened. Please ensure your organisation is following this guidance.”

The biggest successful cyberattack on the NHS was the WannaCry ransomware attack in May 2017, which forced more than 80 trusts to shut down their IT systems down to avoid or minimise infection, causing operational mayhem.

HSJ exclusively revealed in July 2017 that more than one in five trusts had failed to properly apply security updates that would have protected them against the worst cyberattack in NHS history.

NHS leaders will be hoping the WannaCry affair acted as a wake-up call for the system, but the sheer number of aging systems and lack of funding to maintain defences means cyber security poses a major risk.

Sajid Javid was asked at the HSJ Digital Transformation Summit on Thursday about whether Russian cyberattacks posted a particular threat to the NHS because of the escalating conflict. 

He said: ”I think it’s sensible for us to be prepared for all types of Russian action. It would be inappropriate for me and the government to discuss the kind of preparations we make, and exactly the form. But I think it’s common sense to be prepared.”

The health and social care secretary said in his speech to the event: “The shocking events of the past few weeks have reminded us of cyberattacks and how established a form of conflict they’ve now become, and we can only make these digital reforms if we keep the system safe from those who want to cause us harm.

“A chain is only as strong as its weakest link, and we are shoring up cyber resilience in all parts of health and care, backed by over £300m of investment since 2017. In this period we have prevented four major cyberattacks which could have caused a catastrophic impact on the front line.”