Trusts will likely face stricter cyber security standards after the WannaCry attack, while there may be additional funding to help improve resilience in some areas, a national NHS IT chief has said.

Speaking at the Digital Healthcare Show in London today, NHS England chief information officer Will Smart revealed some of the policy responses being considered to the WannaCry ransomware attack. 

The global WannCry virus on 12 May had an unprecedented impact on the NHS, infecting at least 47 trusts and led to the cancelling of thousands of planned operations and outpatient appointments across the country.

Mr Smart, who is leading a review of the NHS’s response to the attack, said possible policy responses could include support for parts of the NHS with “long term underinvestment in IT infrastructure”.

This could include major trauma centres and supporting other critical care pathways, he indicated. ”We need to look at what our response is to that,” he said. “But I don’t want people to think this is just about the centre putting their hands in their pocket.”

Trust boards should expect both more guidance and support on cybersecurity but, if they failed to meet expected standards, also more enforcement scrutiny, he said. The Care Quality Commission is already due to include data security standards in inspections, following a review last year. 

Mr Smart said the review was considering requiring boards to make a form of statement of “cyber resilience” to make it clear “they are aware of the risks”.

“If cyber is not on the top five in [an] organisation’s risk register in the NHS, that is a real problem.”

Other changes could include creating new standards for patch, or security update, management, a vulnerability that was exposed in the WannaCry attack.

“We are having lots of conversation around standards, assurance, and enforcement in cyber,” Mr Smart said.

The review was also looking at improving the speed of central NHS communication after a cyber attack, he said. Central NHS organisations struggled to communicate with some parts of the NHS that shut down their email services in response to the WannaCry attack.

It is considering: “How do we get information out to people quickly at the frontline?”

However, Mr Smart and several other speakers at the show, including NHS Digital’s head of security Dan Taylor, said overall the NHS had responded extremely well to the WannaCry attack.

Most trusts were not affected. Those that were mostly responded quickly and kept the majority of patient services running.

“We shouldn’t beat ourselves up too much,” Mr Smart said.

Mr Smart said more specific guidance would come out of the review, the recommendation of which are expected to be published in September.

Topics