NHS 'could skimp on cyber security' as it says £800m to bolster its defences is not 'value for money' in the wake of the devastating WannaCry cyber attack
- NHS Digital documents said a cyber expert's recommendations were 'useful'
- But it said paying £800m to £1bn for all providers to be protected was too much
- The WannaCry virus last year led to up to 20,000 appointments being cancelled
- And smaller online attacks have happened regularly, it is reported
By Sam Blanchard Health Reporter For Mailonline
Published: 13:14 EDT, 5 October 2018 | Updated: 15:17 EDT, 5 October 2018
The NHS could cheap out of getting robust cyber security after being told it would cost up to £1 billion to protect against hackers.
Health officials have said paying for the recommended level of online protection 'would not be value for money', despite a huge cyber attack last year.
The WannaCry attack last May led to thousands of cancelled operations, postponed GP appointments and diverted ambulances.
But NHS Digital is reluctant to fork out for full protection, despite recommendations from a Government review and ongoing smaller cyber attacks.
The WannaCry cyber attack crippled computers at 81 hospital trusts and hundreds of GP surgeries in May last year, demanding £230 from every employee who was locked out of their computer with this warning screen
NHS Digital, responsible for the online operations of the organisation, said an expert's recommendations on cyber security were 'useful'.
But it indicated it wouldn't pay the money for all its health providers to take them on board, according to the Health Service Journal (HSJ).
NHS Digital documents seen by the HSJ under a Freedom of Information request revealed the health service's position on the Government-commissioned review.
Published in February, the review advised the entire NHS to meet a standard called Cyber Essentials Plus (CE+), adding it would cost £800 million to £1 billion to put in place.
'This [the standard] should be the minimum bar that all health and social care organisations must meet,' the report read.
But NHS Digital papers said: 'While NHSD believes using the CE+ as a benchmark is useful, getting all providers to accreditation would not be value for money.'
HOW DID THE WANNACRY CYBER ATTACK CRIPPLE THE NHS?
More than a third of hospital trusts – 81 in total – had their computer systems crippled in the WannaCry ransomware attack last May.
Nearly 20,000 hospital appointments were cancelled because the NHS failed to provide basic security against cyber attackers.
When the attack came on May 12 it ripped through the out-of-date defences used by the NHS.
The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account.
Doctors and nurses had to rely on pen and paper and crucial equipment such as MRI machines was also disabled by the attack.
Nearly 20,000 medical appointments were cancelled, including 139 potential cancer referrals. Five hospitals had to divert ambulances away at the peak of the crisis.
Hospitals were found to have been running out-of-date computer systems, such as Windows XP and Windows 7 – which had not been updated to secure them against such attacks. Computers at almost 600 GP surgeries were also victims.
Computer systems in 150 countries were caught up in the attack, which saw screens freeze with a warning they would not be unlocked unless a ransom was paid.
Smaller online attacks have been recorded numerous times this year, with 122 'data security incidents' reported by the NHS between May 25 and June 30.
These incidents are believed to have put patients' data at risk, and the HSJ revealed last month that 80 per cent of trusts failed to respond to a high severity alert in April.
During the WannaCry attack – the last high severity alert to have hit the health service – almost 20,000 appointments had to be cancelled.
NHS computers around the country – in 81 hospital trusts and hundreds of GP surgeries – were infected with the virus, which locked staff out of their user accounts.
The hackers demanded £230 per employee to let them use their computers again, and crippled the out-of-date computer systems used by so many staff.
At the time the Department of Health and Social Care (DHSC) was criticised by the Government for not acting fast enough to fix the failure.
The DHSC is expected to release a report soon examining what went wrong, but is not expected to increase the NHS's budget for cyber security.
The NHS faced multiple computer breaches in April this year alone.
One or more branches of the NHS were affected by hackers trying to steal patient data, and websites trying to launch phishing attacks – to steal people's personal information – disguised themselves as NHS websites.
And another NHS organisation had been storing sensitive information in an 'easily accessible' online database, the HSJ reported.
A Department for Health and Social Care spokesperson said: 'The health service has improved its cyber security since the attack, and we have supported this work by investing over £60 million to address key cyber security weaknesses.
'We plan to spend a further £150 million over the next two years.'