Trusts need more clarity about future cybersecurity funding after the WannaCry attack, Barts Health Trust’s top digital doctor has said.

Charles Gutteridge, chief clinical information officer at the London trust, said more clarity is needed on central funding for improving NHS cybersecurity since May’s ransomware attack.

Charles gutteridge

Charles Gutteridge: ‘We are waiting for someone at mission control to tell as what the plan is’

Speaking at the EHI Live conference in Birmingham, Dr Gutteridge also said the attack revealed just how fragile NHS IT infrastructure had become. “We need to think differently about the investment,” he said.

Dr Gutteridge was previously the DH’s clinical informatics director during the National Programme for IT.

Barts was the worst disrupted of 37 trusts infected in the 12 May ransomware attack, taking weeks to restore its IT systems, closing its emergency departments and cancelling at least 5,900 appointments.

He said: “We are still waiting for someone at mission control to tell as what the plan is. Being clear about what investment is coming would be a tremendously helpful.”

In his speech, Dr Gutteridge revealed the trust had continued to struggle to restore confidence in its IT systems among staff, particularly clinicians, months after they had been restored.

“Every time we have one of these events, overall the trust’s confidence in health IT wanes and takes quite a long time to recover. So, my message is: do everything you can not to let this happen,” he said.

The inability to report activity had also affected on Barts’ already large deficit, he said.

The CCIO also reiterated the importance of deploying security updates, even when these caused disruption to operations.

HSJ reported in July that at least one in five trusts had not applied a critical Windows security update ahead of the WannaCry attack, including nearly all trusts that were infected.

Dr Gutteridge said Barts was moving towards a virtual desktop system, making it less reliant of individual PCs, and phasing out Windows XP machines where possible.

In July, the Department of Health pledged £21m to improve cybersecurity at major trauma centres as an “immediate priority”.

Dr Gutteridge said on Tuesday that this funding had not been received but a trust spokesman clarified on Wednesday that the Department of Health had provided £1.6m of cybersecurity funds.

His comments came a day after the DH published new cybersecurity specifications setting out requirements that all trusts will be required to meet.

These include: cybersecurity training for all staff; a designated executive responsible for cybersecurity; compulsory reporting of infections or “near misses”; and proving trusts have responded to any critical cybersecurity alerts from NHS Digital within 48 hours.

NHS England is understood to be pushing for additional cybersecurity capital funding in the budget on 22 November.

The DH and NHS England were both approached for comment.

This story was updated at 4.35pm to reflect new information from Barts Health, correcting Dr Gutteridge’s earlier comments that trust had not received cybersecurity funding from Deparment of Health.

NHS needs at least extra £4bn for digital upgrade, says tech chief