NHS: Cybersecurity Debate
Full Debate: Read Full DebateLord Hunt of Kings Heath
Main Page: Lord Hunt of Kings Heath (Labour - Life peer)Department Debates - View all Lord Hunt of Kings Heath's debates with the Department of Health and Social Care
(6 years, 7 months ago)
Lords ChamberTo ask Her Majesty’s Government what assessment they have made of the response of the National Health Service to cyber attacks.
My Lords, as the lessons learned review into the WannaCry attack by the Chief Information Officer for Health and Care set out, the NHS responded well to what was an unprecedented incident. However, a number of areas for improvement were also identified. Consequently, several immediate actions were taken to improve the cyber resilience of the NHS. They included updating and testing incident plans and investing more than £60 million to improve security in local IT infrastructure.
My Lords, I welcome the measures that have been taken, but the noble Lord will know that recently the Public Accounts Committee has identified that his department and the NHS were wholly unprepared for what was a relatively unsophisticated attack, and that many trusts failed to act on warnings that they had been given to patch exposed systems. I understand that the committee said that, extraordinarily, at the time it took evidence some trusts had still not patched up their systems. My understanding is that that is because those systems were linked to the use of medical equipment, and in patching up the systems they could have damaged a lot of the service-giving infrastructure. That suggests that the NHS is in a very poor condition indeed to deal with this kind of threat in the future. Can he reassure me that the recent announcement by the Secretary of State will really do the job?
The PAC review found that the use of Windows XP was at the heart of the problem, as an unsupported and unpatched system. Several things have happened as a consequence. First, XP usage has gone down from 18% in 2015 to 1.7% now. We also have a customer support agreement with Microsoft now and are transitioning to Windows 10, which is of course fully supported and much more secure. We also have a system now called cursor collect. The notifications that go out, called cursor notifications, are due to be acted on within 48 hours. That exposes the fact that we did not have a way of tracking that. We now have a way of tracking that and enforcing action at trust level. So there is a much higher degree of security than there was. Of course, no security is ever perfect and our vigilance carries on.
The noble Lord makes an excellent point. One thing we are now doing is more intelligence-led penetration testing based on work that the Bank of England does, which is to probe in a safe way any weaknesses and to make sure that they are dealt with. The CQC has also added data security to its well-led criteria for inspections. We have now demanded that a board member of each trust takes responsibility for cybersecurity. Indeed, for a trust to be rated as well led, it has to demonstrate that competence.
My Lords, one of the things that happened when this occurred made it clear that NHS trusts did not follow the instructions they were given to patch their systems. Is the Minister assured that, if this were to happen in future, trusts would follow, without exception, the instructions given?
I am absolutely assured that they would perform much better than they did that time. I do not think I can give the assurance that every single one would do it, because there are still capacity issues in some trusts. The investment that we are carrying out is designed to deal with that. It is a much better performance, but we need to make sure that we are always vigilant for weakness in the system.