NHS: Cybercrime

(asked on 22nd June 2017) - View Source

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health, how many cyber-security incidents have taken place in the NHS since 2010; and how many incidents there have been where (a) patient data has been accessed or compromised and (b) patient care has been interrupted or halted.


Answered by
Jackie Doyle-Price Portrait
Jackie Doyle-Price
This question was answered on 27th June 2017

Cyber resilience in the health and care system is an issue that the Government takes very seriously.

We have changed the National Health Service standard contract to include, from April 2017, cyber security requirements.

Evidence shows that the use of unsupported systems is continuing to reduce in health and care, as organisations replace older hardware. Latest estimates suggest the usage of Windows XP in the NHS has reduced from 15-18% at December 2015, to 4.7% of systems currently.

The 12 May 2017 ransomware incident affected the NHS in the United Kingdom. It is standard practice to review any major incident in the NHS. Further, the Chief Information Officer for health and care is undertaking a review into the May 2017 cyber-attack which is expected to conclude in the autumn.

The identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000. These costs were borne by NHS Digital and NHS England from internal budgets. Information relating to any expenditure incurred by individual local NHS trusts or other NHS organisations is not collected centrally.

We do not comment more widely on matters of security.

Reticulating Splines