Hospitals responsible for treating patients from major incidents including terrorist attacks will receive £21m to beef up their cybersecurity in the wake of the WannaCry assault on NHS IT systems.
Jeremy Hunt, the health secretary, has pledged the extra money to try to stop future malware attacks disrupting operations and appointments in key medical centres.
The £21m will be shared between hospitals in the NHS’s network of 27 major trauma centres across England, such as those in London and Manchester which gave specialist care to people badly injured in the Westminster Bridge, Manchester Arena and London Bridge terror attacks and the Grenfell Tower fire.
The WannaCry attack began on 12 May and disabled computers in organisations across the world, including the NHS. Hackers, whom security services believe to be in North Korea, demanded money to unfreeze the computers. It prevented 48 hospital trusts in England and several GP surgeries in England and Scotland from accessing patient data and led to operations and appointments being cancelled and delayed.
Hospitals receiving the new cybersecurity funding include King’s College, St Mary’s and the Royal London in the capital, as well as the Manchester Royal Infirmary. Recipients will use the cash to update their IT systems, improve staff training and become more resilient if faced again with the threat of a cyber attack.
“The NHS has a long history of safeguarding confidential data but with the growing threat of cyber-attacks, including the WannaCry ransomware attack in May, this government has acted to protect information across the NHS,” said Lord O’Shaughnessy, the health minister.
“Only by leading cultural change and backing organisations to drive up security standards across the health and care system can we build the resilience the NHS needs in the face of a global threat.”
The move was unveiled on Wednesday as part of the government’s response to a report into NHS data security published earlier this year by Dame Fiona Caldicott, the national data guardian.
NHS Digital will also assist efforts to beef up the service’s IT security. It will broadcast alerts to warn hospitals about threats to cybersecurity, setting up a hotline to deal with any incidents that occur and carrying out onsite assessments to test readiness to repel an attack.
WannaCry exploited a weakness in the Windows XP operating system to cause havoc in May. The Department of Health said: “Work is under way in parallel to determine the fastest and most cost effective way to support the NHS as they complete their move away from unsupported operating systems, including Windows XP where use has already fallen in the past 18 months from 18% to 4.7%.”
Professor Helen Stokes-Lampard, the chair of the Royal College of GPs, said: “Robust cybersecurity and effective, safe data-sharing between healthcare professionals are both imperative to ensure our patients receive the best possible care right across the NHS.
“The cyber-attack was a wake-up call to many of us working in the health service about the fragility of the IT systems we are using, not just to keep our patients’ data safe, but to keep our surgeries functioning.”
The campaign group medConfidential said it was “cautiously positive” that the government’s acceptance of Caldicott’s recommendations in full would see patients’ data properly protected once the planned NHS.uk system begins, which will let patients see how their medical records are being used.
Medical leaders, including the chief medical officer, Dame Sally Davies, are keen to see much greater sharing of patients’ medical information in order to boost medical research and improve care.
“The wait for consensual, safe and transparent data flows in the NHS is hopefully almost over,” said Phil Booth, medConfidential coordinator. “The perils of a ‘national data lake’ may lie ahead, but we hope lessons have been learned, so we don’t end up back here in another four years.”
