• Public accounts committee hears evidence on NHS cyber attack response
  • NHS Digital says none of 200 NHS organisations assessed have passed the new cyber security standards
  • Trusts considered particularly at risk face unannounced CQC cyber security inspections

Trusts with lax data security are receiving additional unannounced inspections, as regulators try to patch security vulnerabilities in the wake of the Wannacry cyber attack.

NHS Digital deputy chief executive Rob Shaw told the Commons public accounts committee on Monday that the agency, in assisting the Care Quality Commission, was conducting unannounced visits of some trusts up until the end of March.

”As part of the well led inspections, CQC is also doing an unannounced inspection where there is a concern about cyber security,” he said.

These checks, which will become standard for CQC inspections this year, are focusing on whether the trusts were meeting new cyber security standards introduced since the cyber attack last May, the worst in NHS history.

Mr Shaw also said NHS Digital had now conducted 200 on site cyber security assessments of NHS organisations, about 110 since the attack, and all organisations had failed to meet the new standard.

“It is quite a high bar. Some have failed purely on patching, which was [the] vulnerability with Wannacry.”

NHS Digital said the current round of unannounced cyber security inspections would be reviewed before deciding whether they would continue, he said.

Responding to questions about trusts’ readiness for another attack, NHS England chief information officer Will Smart told the same committee hearing that national officials had a list of trusts most at risk and was focused on supporting that group.

He declined to say how many trusts fell into this category, but said Barts Health Trust - which was most disrupted by Wannacry - was included.

The committee is holding an inquiry into the cyber attack on 12 May last year, which affected more than 80 trusts and hundreds of GP practices, leading to ambulance diversions and the cancellation of thousands of operations and appointments.

The committee heard evidence from NHS England chief executive Simon Stevens, Mr Smart, Department of Health and Social Care permanent secretary Sir Chris Wormald, NHS Improvement former chief executive Jim Mackey, and Mr Shaw.

Questions from the committee included why NHS bodies hadn’t prepared more effectively for a cyber attack, why it had not quantified the cost of the attack, and whether there was adequate funding.

NHS England chief executive Simon Stevens said while the system had responded well it was clear that “on the back of Wannacry, a whole bunch of things need to change”.

The attack has also been subject to several reviews, including a National Audit Office report that was critical on central agency co-ordination and preparation.

NHS England’s own review, released last week just ahead of the committee’s first hearing, found at least £175m of central funding would need to be diverted to improve cyber security across the NHS, as well as local NHS organisations increasing their spending.

An HSJ anaylsis last year found at least one in five trusts, including all infected trusts, had not applied a critical Windows security update that would have protected them from Wannacry, despite being warned weeks beforehand.