My Lords, as the lessons learned review into the WannaCry attack by the Chief Information Officer for Health and Care set out, the NHS responded well to what was an unprecedented incident. However, a number of areas for improvement were also identified. Consequently, several immediate actions were taken to improve the cyber resilience of the NHS. They included updating and testing incident plans and investing more than £60 million to improve security in local IT infrastructure.
My Lords, I welcome the measures that have been taken, but the noble Lord will know that recently the Public Accounts Committee has identified that his department and the NHS were wholly unprepared for what was a relatively unsophisticated attack, and that many trusts failed to act on warnings that they had been given to patch exposed systems. I understand that the committee said that, extraordinarily, at the time it took evidence some trusts had still not patched up their systems. My understanding is that that is because those systems were linked to the use of medical equipment, and in patching up the systems they could have damaged a lot of the service-giving infrastructure. That suggests that the NHS is in a very poor condition indeed to deal with this kind of threat in the future. Can he reassure me that the recent announcement by the Secretary of State will really do the job?
The PAC review found that the use of Windows XP was at the heart of the problem, as an unsupported and unpatched system. Several things have happened as a consequence. First, XP usage has gone down from 18% in 2015 to 1.7% now. We also have a customer support agreement with Microsoft now and are transitioning to Windows 10, which is of course fully supported and much more secure. We also have a system now called cursor collect. The notifications that go out, called cursor notifications, are due to be acted on within 48 hours. That exposes the fact that we did not have a way of tracking that. We now have a way of tracking that and enforcing action at trust level. So there is a much higher degree of security than there was. Of course, no security is ever perfect and our vigilance carries on.
My Lords, in Scotland it is possible for your records to be transferred from one hospital to another or from your GP to your hospital without any consequences at all. One of the concerning things about the Public Accounts Committee report is the systemic failures in IT overall in NHS England. One example is where regional hospital A cannot receive data from district hospital B, even if it is a simple blood test, because they use different systems; the consultant I spoke to said that he actually advises people to use faxes. This is our NHS in the 21st century.
The noble Baroness is highlighting a historic problem about interoperability between different bits of the NHS in England. That is absolutely fair enough. I would highlight two things that we are doing. First, the National Data Guardian for Health and Care has defined 10 data standards that should apply to both security and interoperability between different systems, and those now apply in all key NHS contracts, including the standard NHS contract. Secondly, we have launched a programme to appoint up to five local health and care record exemplars, which will provide interactive and interoperable data for patients for their direct care—so that the issue we have at the moment of data sometimes falling between different institutions will not happen any more.
My Lords, obviously data security is absolutely vital, but so is the collection of data. If we are going to move forward it is so important that we collect that data for research and treatment. Can my noble friend the Minister give us some kind of indication of how we can make sure that the general public feel happy to give their data to the health service?
My noble friend makes an excellent point. Not only is it critical that data is joined up for direct care—quite rightly, patients are amazed when that does not happen—it is an absolutely essential resource for research into new treatments. One thing we are doing to try to provide that reassurance to the public, which has not always been there, is introducing a new data opt-out at the end of this month to provide that reassurance for patients who do not want to be part of it. We are focused on providing that resilience and security so that they can be confident that, when the NHS holds their data, it uses it securely, safely and legally.
My Lords, one of the lessons learned following the WannaCry attack was that the weakest links in the NHS had to be identified. The Minister has already referred to the upgrading of software that was found to be weak. What work is being done to identify other areas in the NHS that would be open to cyberattacks?
The noble Lord makes an excellent point. One thing we are now doing is more intelligence-led penetration testing based on work that the Bank of England does, which is to probe in a safe way any weaknesses and to make sure that they are dealt with. The CQC has also added data security to its well-led criteria for inspections. We have now demanded that a board member of each trust takes responsibility for cybersecurity. Indeed, for a trust to be rated as well led, it has to demonstrate that competence.
My Lords, one of the things that happened when this occurred made it clear that NHS trusts did not follow the instructions they were given to patch their systems. Is the Minister assured that, if this were to happen in future, trusts would follow, without exception, the instructions given?
I am absolutely assured that they would perform much better than they did that time. I do not think I can give the assurance that every single one would do it, because there are still capacity issues in some trusts. The investment that we are carrying out is designed to deal with that. It is a much better performance, but we need to make sure that we are always vigilant for weakness in the system.