Public Services > Healthcare

NHS faces searching questions over its information and IT governance

David Bicknell Published 13 May 2017

Following Friday's cyber attack, self-policing of IT governance might need to be taken out of trusts’ hands to verify hospital systems have been effectively security patched and updated


The scale of the problem facing the NHS in updating and patching its IT systems to prevent an occurrence of yesterday’s Wanna Decryptor ransom-ware attack has led to calls for stronger central control of information governance.

That could mean a role for organisations such as the Care Quality Commission or NHS Digital who would be charged with having to inspect hospital IT systems to verify that their IT security and information governance is effective, and that systems are patched up to date and better able to withstand a cyber attack. Such a role would be expensive, difficult to set up, but some might argue, is now necessary.

Previously, hospital trusts have been trusted to self-regulate themselves and verify that their systems – many of them using Windows XP – have been effectively patched. But the financial pressures facing the NHS inevitably means, according to one GP, that in some cases, trusts are simply saving money on their IT and particularly their IT security because they have so many financial concerns elsewhere.

That means several Windows XP machines go un-patched, with the subsequent effect on several trusts yesterday..

Yesterday’s cyber attack hit several countries and sectors. But because of its outdated systems, it was the NHS which appears to have been the biggest victim.

The knock-on effect will be significant. Hospitals whose systems were affected by the attack will have to recover. And those that shut down their systems and opted to use simple pen and paper will themselves have to spend time transcribing hand-taken notes and subsequently updating their patient systems.

Despite the frustration and despair caused by yesterday’s attacks, some in the NHS still worry about a more significant attack that could target patient data. Dr Neil Bhatia, GP and Caldicott Guardian for the Oaklands Practice in Yateley, Hampshire said GP practices’ patient data is largely no longer held locally at surgeries but held securely in the cloud.

The assumption, so far, is that trusts’ patient databases have not been affected. But that has yet to be proven, despite Prime Minister Theresa May’s immediate insistence that there is “no evidence that patient records have been compromised”.

Hospitals have spent the last 24 hours trying to recover from Friday’s security worries. Some were cautiously optimistic that they are getting back to normal. The Royal Berkshire NHS Foundation Trust in Reading told Government Computing that it was hoping to run patient clinics over the weekend and planned operations and appointments for Monday should be attended as usual.

However, the Royal London hospital was said on Saturday afternoon to be unable to accept trauma or stroke patients. In a statement titled “IT disruption”, Barts Health NHS Trust said, “We are continuing to deal with a major IT disruption and we are sorry for any delays experienced at our hospitals. We have activated our major incident plan to make sure we can maintain the safety and welfare of patients.

"Some ambulances are being diverted to neighbouring hospitals and we are very sorry that we have had to cancel some routine appointments. There will be no outpatient appointments at our hospitals on Saturday 13 May. All patients who have their appointment cancelled will be contacted as soon as possible to reschedule.”

In a statement on the attacks, Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC) said, “We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.

“It is important that organisations reduce the risks of these attacks happening to them. There are three pieces of important advice to help protect your organisation:

  • Make sure your security software patches are up to date
  • Make sure that you are running proper anti-virus software
  • Back up your data somewhere else because you can’t be held to ransom if you’ve got the data somewhere else.

The extent of the attacks has also raised concerns about the impact on the cyber defences of the wider public sector. A report on the launch of the NCSC has six mentions of the public sector in 22 pages, but, strangely, not a single mention of the NHS. The report does, however, promise a free vulnerability scanning service for public organisations.

It says, “We are developing a service to track and promote the adoption of ‘WebCheck’ that will allow government organisations to create an easy-to-read report about any common vulnerabilities on internet domains they own and help them to put them right. We want to build reputation services to help digital service owners make transaction risk decisions.

“Initially this service will give reputation information for IP addresses connecting to the service and credentials that are used, but we’re looking to extend that over time. We are also looking to experiment on government with novel cyber security techniques and capabilities.

“One example is a software agent that runs at low privilege on a government workstation and sends metadata back to a central processing facility for analysis. We don’t know yet whether we can detect unknown attacks and exploits using this sort of technique, but there are some experiments taking place to find out.”



We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.