[BreachExchange] NHS given a lashing for lack of action plan one year since WannaCry

[Audrey McNeil]

https://www.theregister.co.uk/2018/04/18/mps_slam_nhs_for_
lack_of_action_plan_one_year_on_from_wannacry/

Nearly a year has passed since the unprecedented WannaCry cyber attack and
the UK's NHS has yet to agree an action plan, according to a report by MPs.

Following the incident last June, which caused 20,000 hospital appointments
and operations to be cancelled, a Lessons Learned reviewwas published with
22 recommendations for strengthening the NHS's cyber security.

However, implementation plans have yet to be agreed, while the Department
of Health does not know exactly how much the recommendations will cost or
when they will be implemented, the Public Accounts Committee report found.

It added that some NHS organisations still have a lot to do to improve
their cyber security including Barts Health NHS Trust, one of the largest
affected by WannaCry.

200 NHS trusts have failed an on-site assessment for cyber security
resilience, MPs previously heard.

That was apparently because "a high bar" had been set for NHS providers,
although some trusts failed purely because they had still not patched their
systems – the main reason the NHS had been vulnerable to WannaCry.

Committee chair Meg Hillier said: "The extensive disruption caused by
WannaCry laid bare serious vulnerabilities in the cyber security and
response plans of the NHS.

"But the impact on patients and the service more generally could have been
far worse and government must waste no time in preparing for future cyber
attacks – something it admits are now a fact of life.

"It is therefore alarming that, nearly a year on from WannaCry, plans to
implement the lessons learned are still to be agreed."

She added: "I am struck by how ill-prepared some NHS trusts were for
WannaCry, in many cases failing to act on warnings to patch exposed systems
because of the anticipated impact on other IT and medical equipment."

Cyber security investment cannot be properly targeted unless this
information is collected and understood, she said.

"There is much important work to do and we urge the Department to provide
us with an update by the end of June.

"Meanwhile, this case serves as a warning to the whole of government: a
foretaste of the devastation that could be wrought by a more malicious and
sophisticated attack. When it comes, the UK must be ready."

Immediately following the WannaCry attack, the department reprioritised
£21m in funding to address key vulnerabilities in major trauma centres and
ambulance trusts, while a further £25m was allocated for 2017/18 to support
organisations most vulnerable to cyber security risks.

The report recommended the Department of Health should provide an update by
June on its national estimate of the cost to the NHS of WannaCry and how
national bodies should target investment appropriately in line with service
and financial risks.

It also said the department and its arm's-length bodies should support
local organisations to improve cyber security and be ready for a attack by
developing a full understanding of the security arrangements and IT estate
of all NHS organisations.

In addition, the department should: set out how local systems can be
updated while minimising disruption to services; ensure all IT suppliers
are accredited and that local and national contracts include standard terms
to protect the NHS against cyber attacks; and that local and national
workforce plans include a focus on IT and cyber skills.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180418/24f56c9a/attachment.html>