• First “high severity” cyber alert in the NHS since WannaCry regarding vulnerabilities in Windows software
  • Less than one in five trusts respond within 48 hours, as now required by law
  • Letters to be sent to trusts in future warning them they could face fines
  • National NHS cyber reporting system being overhauled

More than four in five NHS trusts failed to respond to the first “high severity” cyber alert issued since the WannaCry cyber attack, HSJ can reveal.

In response, there is a proposal to send recalcitrant trusts a warning that they could be fined under new data security rules for failure to respond fast enough.

NHS Digital committee papers from June this year, released to HSJ under the Freedom of Information Act, detail the agency’s concern over trusts’ slow or non-existent response to the threat alert sent in April.

Under EU-wide regulations that came into effect in May, all NHS trusts are legally required to respond to centrally-issued “high severity” cyber security alerts within 48 hours.

Reviews of the WannaCry global ransomware attack of May last year found some trusts’ failure to update their IT systems in response to a cyber alert the month before was a major contributor to the spread of the virus and the severe disruption of NHS services.

The papers show that on Thursday, 5 April, NHS Digital’s cyber security centre issued its first “high severity” alert since WannaCry.

The alert related to a vulnerability in Windows that could leave computers exposed to a malicious attack and trusts were expected to respond within 48 hours.

On Monday morning, four days after the alert was issued, only 16 per cent of trusts and commissioning support units had responded to the alert.

By the next morning, all CSUs had responded and NHS chief information officer Will Smart wrote to all trusts that still had not, seeking a reply.

By Friday morning, eight days after the alert, one in five of all trusts had still not responded.

Two out of three trusts that did not respond later told NHS Digital the threat did not apply to them because they did not use the Windows’ software compromised.

“This suggests that at that point there were around 15 trusts and FTs who may have had vulnerability who were yet to respond to the advisory,” the papers said.

There have been no reports of compromised NHS IT or disruption to services as a result of the vulnerability identified in the alert. There have not been high severity alerts issued since.

Responding to HSJ, an NHS Digital spokeswoman said the low number of responses was a result of most trusts not using the specific Windows software, although trusts are now required to respond regardless.

“We have been working with the boards of NHS organisations to help them build cyber resilience and ensure they are able to respond swiftly should a serious incident occur.”

A subsequent review showed that some NHS organisations cited difficulty accessing NHS Digital’s online “CareCERT” portal, where responses are meant to be lodged, as the reason for the delay.

The paper included several recommendations for improving the reporting system, including introducing text message alerts and providing NHS organisations with more guidance on how to respond to alerts.

It also recommended the Department of Health and Social Care send organisations “not compliant with testing” a letter warning that their “failure to respond to a critical alert could lead to fines”.

According to the papers, a new system was expected to be in place towards the end of 2018.

An NHS Digital spokeswoman said work was still progressing with the new system but all recommendations outlined in the review had since been completed.

HSJ  reported in June that IBM had won a contract to help NHS Digital run an expanded cyber security centre.