Cyber attacks are “weapons” which should be treated as a serious, critical threat, a leading group of MPs have said as they called on the whole of Government to learn lessons from the WannaCry attack on the NHS.
In a report on the cyber breach in the health service last year, the Public Accounts Committee (PAC) referred to the nerve agent poisoning of double agent Sergei Skripal and his daughter Yulia, saying the incident has “heightened concerns about the UK’s ability to respond to international threats”.
The MPs warned that cyber attacks can have a “huge impact” on safety and security.
The comments come after Britain and the US issued a formal alert about “malicious cyber activity” by Russia.
The latest PAC report details how the Department of Health and Social Care (DHSC) and its arm’s-length bodies were “unprepared” for the global WannaCry attack, which disrupted NHS services in May last year.
MPs said that the attack could have been “much worse” and that the NHS was “lucky” that the threat was tackled quickly.
They said that the attack was “relatively unsophisticated” in that it locked devices but did not seek to alter or steal data. But they warned: “Future attacks could be more sophisticated and malicious in intent, resulting in the theft or compromise of patient data.”
The WannaCry attack, which occurred in May last year, affected more than 200,000 computers in at least 100 countries.
Data on infected computers was encrypted and users faced a ransom demand to unlock their devices.
A total of 80 of 236 NHS trusts across England suffered disruption, because they were either infected by the ransomware or had turned off their devices or systems as a precaution. The ransomware infected another 603 NHS organisations including 595 GP practices.
The health service was forced to cancel almost 20,000 hospital appointments and operations as a result and five A&E departments had to divert patients to other units.
The report states: “The NHS was lucky. If the attack had not happened on a Friday afternoon in the summer and the kill switch to stop the virus spreading had not been found relatively quickly, then the disruption could have been much worse.
“The DHSC and its arm’s-length bodies were unprepared for the relatively unsophisticated WannaCry attack; they had not shared and tested plans for responding to a cyber attack, nor had any trust passed a cyber security inspection.”
The PAC report states that the DHSC know more about NHS preparedness for a cyber attack now, but still have more to do to support trusts to meet required cyber security standards and to respond to a breach.
They concluded: “Although the Department and NHS bodies have learned lessons from WannaCry, they have a lot of work to do to improve cyber security for when, and not if, there is another attack.
“The recent shocking use of a nerve agent to poison those on British soil has heightened concerns about the UK’s ability to respond to international threats, and hammers home the risks from those hostile to the UK.
“A cyber-attack is a weapon which can have a huge impact on safety and security. It needs to be treated as a serious, critical threat. The rest of Government could also learn important lessons from WannaCry.”
PAC chairwoman Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.
“But the impact on patients and the Service more generally could have been far worse, and Government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.
“Meanwhile, this case serves as a warning to the whole of Government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”
In an interview with the Press Association, Ms Hillier added: “With WannaCry it was a relatively lucky escape because of when it happened and how quickly it was fixed, it might not be so lucky next time.
“We had a glimpse of what could happen and it’s a very big challenge to get this resolved, but it has got to be front and centre of the Government’s thinking.
“One of the biggest areas where we need to be defending ourselves is on cyber security because the impact on our country and day-to-day lives could be immense.”
A Department for Health and Social Care spokeswoman said: “Every part of the NHS must be clear that it has learned the lessons of Wannacry.
“The health service has improved its cyber security since the attack, but there is more work to do to protect data and patient care.
“We have supported that work by investing over £60 million to address key cyber security weaknesses – and plan to spend a further £150 million over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents.”
A spokesman for the National Cyber Security Centre said: “WannaCry was a wake-up call for everyone in the UK to prepare robustly for the very real cyber threats we face.
“Cyber security of the UK is a top priority for the Government, which is why £1.9 billion has been invested in the National Cyber Security Strategy and the National Cyber Security Centre (NCSC) has been opened.
“Part of our cyber security programme is focused on targeted investment in the public sector to make sure protection is as effective as it can be. This is only part of the answer and we are continually working with public sector organisations to help them assess and recognise the commitments they need to make as well.”