Recommendation 20

In our 2018 report on the WannaCry Cyber-attack on the NHS, we found that the Department and its arm’s-length bodies were unprepared for the relatively unsophisticated WannaCry attack and had a lot of work to do to improve cyber-security for when, and not if, there was another attack.39 We asked how the NHS was ensuring that it had the skills it needed to manage the risks of future cyberattacks, NHS Digital acknowledged that there remained a “significant cyber risk” associated with legacy IT systems, which were especially vulnerable to cyber-attack.40 It admitted that the NHS “desperately need skills” in cyber security. It told us that it was using questionnaires to assess trusts’ exposure to cyber-security risks and was focusing its efforts on trusts at the bottom end of the 32 C&AG’s Report, para 1.4, Figure 2 33 Q37 34 C&AG’s Report, para 17 35 C&AG’s Report, para 8, Figure 4. 36 Q41 37 C&AG’s Report, para 7 38 Qq 73, 81–82 39 House of Commons Committee of Public Accounts, Cyber-attack on the NHS, HC 787, Session 2005–06, 18 April