0:00:28 > 0:00:35You are considering the report on the cyber attack on the NHS. The
0:00:35 > 0:00:38developments of information technology including cyber are
0:00:38 > 0:00:42increasingly important in the way the NHS functions and the country in
0:00:42 > 0:00:48general. Developments present challenges, risks as well as
0:00:48 > 0:00:52benefits and opportunities. This was demonstrated by the cyber attack
0:00:52 > 0:00:56last May which caused disruption around the world including to our
0:00:56 > 0:01:03own NHS. The attack affected one third of trusts and caused 19,000
0:01:03 > 0:01:08hospital appointments to be cancelled. And affected 603 primary
0:01:08 > 0:01:13care organisations and 595 GP practices. The newly named
0:01:13 > 0:01:19Department of Health and social care and the NHS were aware of the threat
0:01:19 > 0:01:22of a cyber attack, yet were unable to prevent the widespread disruption
0:01:22 > 0:01:29caused. The NHS was able to manage the attack using existing emergency
0:01:29 > 0:01:34response arrangements and requirements but we were fortunate
0:01:34 > 0:01:40the attack was not more damaging. We want to get answers from NHS
0:01:40 > 0:01:43England, NHS digital and NHS improvement on what they learned
0:01:43 > 0:01:48from the attack and what actions they will take to make sure they can
0:01:48 > 0:01:52better prevent and recover from any future cyber attack. Late last week
0:01:52 > 0:01:58NHS England and NHS improvement published its lessons learned review
0:01:58 > 0:02:05on the attack. It may have been a coincidence the publication was
0:02:05 > 0:02:12ahead of today's hearing, maybe not. It builds on the reporting with its
0:02:12 > 0:02:1822 recommendations. From it, we need to understand more about this
0:02:18 > 0:02:19document and its context, specifically how priorities are
0:02:19 > 0:02:24being set and where the resources are coming from and the timing of
0:02:24 > 0:02:32his dimensions. It is unclear how the numerous recommendations and
0:02:32 > 0:02:38implementation will work from the report. We are pleased to welcome
0:02:38 > 0:02:43our illustrious team of witnesses. Robshaw, deputy chief executive of
0:02:43 > 0:02:50NHS Digital. The permanent Secretary of the Department of Health. You are
0:02:50 > 0:02:55a frequent flyer entry to this committee. Almost as frequent but
0:02:55 > 0:03:00not quite, we have next to him Simon Stephens, chief executive of NHS
0:03:00 > 0:03:07England. Then, the chief information officer of NHS England and
0:03:07 > 0:03:14Improvement. And Jim Mackay, former chief executive of NHS Improvement.
0:03:14 > 0:03:18Welcome, gentlemen. I should perhaps start with eight general question to
0:03:18 > 0:03:28Sir Chris. -- as general question. Can you ensure that no person was
0:03:28 > 0:03:33found and no future risk to the NHS information? -- no person was
0:03:33 > 0:03:44harmed?Both in the report. I know one paid the ransom and we do not
0:03:44 > 0:03:49have any direct cases of patient harm resulting from this attack that
0:03:49 > 0:04:00as you said was considerably disruptive, affecting patients. Can
0:04:00 > 0:04:07we guarantee future security? No, we can't. Just like every other
0:04:07 > 0:04:16organisation cyber attacks and cybercrime are facts of life. If you
0:04:16 > 0:04:22believe you are completely safe from cybercrime, that would be a
0:04:22 > 0:04:26extremely bad sign indeed. I cannot get you that reassurance. While I
0:04:26 > 0:04:33have before, I will pick up your point that it is not a coincidence
0:04:33 > 0:04:36we published our response in advance of this hearing because this was
0:04:36 > 0:04:42work already in train. We had commissioned this after WannaCry and
0:04:42 > 0:04:47of course we wanted to be able to be frank with the committee about what
0:04:47 > 0:04:54we were actually doing in this point. We wanted to set that up
0:04:54 > 0:04:58rather than sitting yet knowing there was more to come. It is
0:04:58 > 0:05:03nothing to do with this hearing that the report excess, but we wanted
0:05:03 > 0:05:05this committee to be informed.
0:05:10 > 0:05:13We will don't ever more technical witnesses and ask how we can be sure
0:05:13 > 0:05:20that there is no threat to the NHS future, that there information from
0:05:20 > 0:05:26this TO attack. How can you be sure the virus has been eliminated from
0:05:26 > 0:05:30NHS systems?I don't think we can guarantee the thread has gone away.
0:05:30 > 0:05:37The threat continues. Over the course of the week of the major
0:05:37 > 0:05:42incident, local organisations put in a huge amount of work, local staff
0:05:42 > 0:05:47up and down the country patched systems of put in place, change the
0:05:47 > 0:05:52firewalls to improve the resilience of the organisation. A few weeks
0:05:52 > 0:05:57after WannaCry, there was another attack using the same set of
0:05:57 > 0:06:02vulnerabilities. That attack impact is a large number of multinational
0:06:02 > 0:06:05organisations, some of whom had their whole IT infrastructure wiped
0:06:05 > 0:06:11out and had to be built from the ground up again. I think the fact
0:06:11 > 0:06:17that in that case, using the same vulnerabilities that the NHS wasn't
0:06:17 > 0:06:20impacted give some comfort, but it is important that local
0:06:20 > 0:06:27organisations, national bodies, that we are continually vigilant for the
0:06:27 > 0:06:33threats and take appropriate action when necessary.As well as that, we
0:06:33 > 0:06:42have also had another exact replication of WannaCry with the
0:06:42 > 0:06:48virus called Bad Rabbit. We have had two attacks using the same exploits
0:06:48 > 0:06:52as WannaCry and there was no health organisations impacted by that as a
0:06:52 > 0:06:57result of the remediation taken as part of the mitigation of the
0:06:57 > 0:07:05WannaCry attack.The department and the Cabinet Office wrote to the
0:07:05 > 0:07:09trust in 2014 saying it was essential they had robust plans in
0:07:09 > 0:07:15place to mitigate from old software such as Windows XP. So you have to
0:07:15 > 0:07:22thought about this a long time ago but it seems that that information
0:07:22 > 0:07:25somehow hadn't really transferred through into action by individual
0:07:25 > 0:07:32trusts by the time of this WannaCry attack on the 12th of June 2000 and
0:07:32 > 0:07:3917.It was a mixed picture. As you say, some action was taken in 2014
0:07:39 > 0:07:46and there was a very big turning point in 2015, the National Guardian
0:07:46 > 0:07:54's report and the CKC report. A big programme of work was put in place
0:07:54 > 0:07:59around cybercrime nationally for pretty much the first time in the
0:07:59 > 0:08:07NHS. Between that date and the actual WannaCry attack, a lot of
0:08:07 > 0:08:12progress had been made. So if you look at XP, which are raised in
0:08:12 > 0:08:202015, I think that was about 18% of NHS systems, it was down to 4.7% at
0:08:20 > 0:08:27the time of the WannaCry present and is now down to 1.8%. However, a lot
0:08:27 > 0:08:32of work had been done, it was at the time of the attack work in progress,
0:08:32 > 0:08:38so we have started a programme but had not finished it. We were in a
0:08:38 > 0:08:41better position to deal with this attack at the point that it happened
0:08:41 > 0:08:48but by no means perfect and we'll come onto some of the lessons
0:08:48 > 0:08:53learned. We do have a lot to learn from the attack about how we deal
0:08:53 > 0:08:56with these things in future. But we were better prepared than we had
0:08:56 > 0:09:07been two years previously.If you read the summary of the report, it
0:09:07 > 0:09:12says, prior to the attack, NHS digital conducted is an on-site
0:09:12 > 0:09:17security assessment for 88 of the trust and on his past. There must
0:09:17 > 0:09:23have been on alert warning lingering on your department.I was going to
0:09:23 > 0:09:26comment on this but the point of those assessments is to identify
0:09:26 > 0:09:33weaknesses so they can be improved. It is quite a high bar and every
0:09:33 > 0:09:38trust has things it can improve around, even the ones that do it
0:09:38 > 0:09:43well. That is the point of the on-site assessment. Of course we
0:09:43 > 0:09:46want to get to a position where we no longer are finding things in
0:09:46 > 0:09:52trusts that need improving but we are not there yet.But with great
0:09:52 > 0:09:56respect, that's quite a glossy answer. None of the trusts had
0:09:56 > 0:10:00passed this assessment, none of them. If the majority had I think
0:10:00 > 0:10:03your currency would have held water but none of them had. Surely this
0:10:03 > 0:10:13must have been something high up on your interests.This had been
0:10:13 > 0:10:18identified as a big risk and as I say, a loss of action was in place
0:10:18 > 0:10:23partly for the reason that you say. As I say, we had not finished the
0:10:23 > 0:10:29programme. They were still continuing vulnerabilities and
0:10:29 > 0:10:33WannaCry, our assessment of WannaCry and what happened in the incident
0:10:33 > 0:10:38demonstrated to us that we needed to go much further. Your basic point I
0:10:38 > 0:10:43agree with you, that's clearly there were challenges in the system, some
0:10:43 > 0:10:47of them known about, which we had existing programmes to deal with,
0:10:47 > 0:10:51some of them we learned from the WannaCry at and we need to take
0:10:51 > 0:10:58further action on.We have now completed 200 on-site assessments,
0:10:58 > 0:11:02we had done a date before WannaCry. All trusts still failed and there
0:11:02 > 0:11:08are reasons for that. This isn't a case that all trusts have done
0:11:08 > 0:11:11nothing around cyber security. The amount of effort it takes in the NHS
0:11:11 > 0:11:21to reach the standard we assess against is quite a high bar, so some
0:11:21 > 0:11:26of them failed purely on patching, which is what the vulnerability was
0:11:26 > 0:11:33around WannaCry. We work now with organisations, I always think it is
0:11:33 > 0:11:36better to have information about where your vulnerabilities are three
0:11:36 > 0:11:39can do something about it rather than hope will be OK when you do get
0:11:39 > 0:11:43an attack. The vulnerability reports go back to the trusts only trust
0:11:43 > 0:11:47board is to able to work out how they can then do mitigation. Some
0:11:47 > 0:11:51need to do quite a considerable amount of work but a number of ready
0:11:51 > 0:11:57on the journey that will take them towards that requirement. One of the
0:11:57 > 0:12:00things we may want to consider that it's something that now we have the
0:12:00 > 0:12:03additional funding available, is whether we should go back and we
0:12:03 > 0:12:06inspect those where there is the highest risk in order to provide
0:12:06 > 0:12:11ourselves with the assurance they are going in the right direction.I
0:12:11 > 0:12:14made a mistake, it was the 12th of May, not the 12th of June, the
0:12:14 > 0:12:21attack. We are eight months on from that attack and the paragraph, it
0:12:21 > 0:12:25goes on to say that NHS digital cannot mandate a local body to take
0:12:25 > 0:12:29remedial action even if it has concerns of the vulnerability of an
0:12:29 > 0:12:34organisation. Do you think that your department has sufficient powers to
0:12:34 > 0:12:38be able to shake up these trusts and be able to take the necessary
0:12:38 > 0:12:46action?Yes, we do. They don't fall to NHS Digital, they are mainly in
0:12:46 > 0:12:57the reinforcement powers of CQC. Some of the things we had set out
0:12:57 > 0:13:02before WannaCry attack but are now in place by the data and security
0:13:02 > 0:13:08standards set in the standard contract for the NHS trusts and part
0:13:08 > 0:13:13of their contracts for doing business. This has gone into the CQC
0:13:13 > 0:13:20inspection, so CQC will inspect against it, and the support
0:13:20 > 0:13:25mechanism would be the same as we use for any other problems we have
0:13:25 > 0:13:35in the trusts. It would be for CQC to report and the would-be NHSI to
0:13:35 > 0:13:39take further action if need be. It goes into the general system. Which
0:13:39 > 0:13:46is not to say that there were things that we needed to learn from
0:13:46 > 0:13:55WannaCry that we didn't.We are coming on to that.It is worth
0:13:55 > 0:14:00adding that as part of the well led inspections, CQC are also doing
0:14:00 > 0:14:04unannounced inspections where there is a concern around cyber security.
0:14:04 > 0:14:10For a three-month period up to the end of March, we are doing a small
0:14:10 > 0:14:18number of CQC inspections. We will do unannounced inspections only
0:14:18 > 0:14:22trust and will then do a lessons learned in terms of, is that the
0:14:22 > 0:14:29right thing to do? Not at burden onto an existing framework to get
0:14:29 > 0:14:34the value out of inspections.Each answer is provoking more questions
0:14:34 > 0:14:40but I want to bring my colleagues in. I want to ask a question about
0:14:40 > 0:14:44the very serious evidence, I don't know whether you have had a chance
0:14:44 > 0:14:50to see, from a former director of the Health and Safety Executive. He
0:14:50 > 0:14:58recently did a cyber security review for the MoD so presumably he is
0:14:58 > 0:15:02quite well qualified in these matters. He makes the point that as
0:15:02 > 0:15:08the WannaCry attack was able to encrypt NHS information, if it was
0:15:08 > 0:15:12able to encrypt NHS information it was presumably able to alter NHS
0:15:12 > 0:15:16information and that could have felt really serious implications such as
0:15:16 > 0:15:25changing blood groups and that sort of thing. Do you think that our
0:15:25 > 0:15:33systems are no suspicion the robust to be able to...? Is that evidence
0:15:33 > 0:15:47true and if it is, would we be in a position to refute further attack
0:15:47 > 0:15:52was able to do this?I'm afraid I don't have the evidence I can't
0:15:52 > 0:15:58comment on that. It's may well be true that data could be changed. It
0:15:58 > 0:16:03is important to say that every NHS organisation thoroughly backs up
0:16:03 > 0:16:10this data so true copies are available, will be held off-site,
0:16:10 > 0:16:12and after WannaCry, any systems would have been restored from
0:16:12 > 0:16:17back-ups because effectively the date doubles loss. So while there
0:16:17 > 0:16:22are technical risks, in this instance the data was restored from
0:16:22 > 0:16:29copies which have been secured.At a minimum, the CQC random inspections
0:16:29 > 0:16:32should make sure that all organisations are properly backing
0:16:32 > 0:16:39up their information.Thank you. Obviously we were quite lucky that
0:16:39 > 0:16:44it was a relatively unsophisticated attack, but perhaps I could ask,
0:16:44 > 0:16:49given that we had reports in July 2016 from the National data Guardian
0:16:49 > 0:16:54and the Care Quality Commission regarding cyber security and
0:16:54 > 0:17:05recently as Mark and April before the attack, the NHS digital, how
0:17:05 > 0:17:12come we were so unprepared for it?I refer you to my answer earlier. I
0:17:12 > 0:17:17don't think we were completely prepared and we had lots to learn
0:17:17 > 0:17:22from the WannaCry attack, but nor are we completely unprepared.
0:17:22 > 0:17:28Between the reports that you mentioned and the date of the
0:17:28 > 0:17:39WannaCry attack, a lot had happened to implement those reports. As both
0:17:39 > 0:17:45the reports have picked up, there is a lot more that can be done, but we
0:17:45 > 0:17:50had actually implemented the vast majority of what the National data
0:17:50 > 0:17:58Guardian and CQC were recommending. We had not finished implementing it
0:17:58 > 0:18:09but I'm not sure I can add very much.This is the first time we knew
0:18:09 > 0:18:12there was a vulnerability in the Microsoft operating system, but it
0:18:12 > 0:18:17had never been exploited. We had put Biden said as patching had taken
0:18:17 > 0:18:21place in over two thirds of the trusts, they were all secure her his
0:18:21 > 0:18:28a fire was to protect against vulnerabilities, we will never ever
0:18:28 > 0:18:32mitigates against all cyber attack. We have to be honest about that.
0:18:32 > 0:18:36Anyone that says the mitigates against cyber attacks, it would
0:18:36 > 0:18:40worry me that they are looking after their IT. We have to put protection
0:18:40 > 0:18:48at the front end, patched the trust we were able to, as quiet happened,
0:18:48 > 0:18:54but I cannot understate the complexity of the NHS estate on the
0:18:54 > 0:18:57complexity of trying to patch different parts of it because you
0:18:57 > 0:19:00can't patch one part that will have an impact on something else. The
0:19:00 > 0:19:03main drive has to be on patient care and make sure we don't impact any of
0:19:03 > 0:19:09those systems. We have to look at protection but also our ability to
0:19:09 > 0:19:14immediate. We have to accept that things will get through to cause a
0:19:14 > 0:19:20cyber attacks, but how we then respond to those becomes crucial.I
0:19:20 > 0:19:23understand what you're saying regarding the complexities of
0:19:23 > 0:19:27patching and clearly is not just the image is itself but also some of
0:19:27 > 0:19:34these suppliers. How can you better get them to update their products
0:19:34 > 0:19:38quickly? Because clearly their machines can be attacked as well as
0:19:38 > 0:19:48the computer software.
0:19:48 > 0:19:55Could you address the Windows XP point and the equipment?This was
0:19:55 > 0:20:00not a tax on Windows XP. Legacy is the challenge of any organisation
0:20:00 > 0:20:06and the NHS is not unique in having legacy software prices across the
0:20:06 > 0:20:13estate. 95% of devices in the NHS at the time of WannaCry were running
0:20:13 > 0:20:19Windows seven which is capable of being patched. Legacy is important,
0:20:19 > 0:20:24but it is not the only issue. The reason that patching does not
0:20:24 > 0:20:33happen, and to 18 months ago I was CEO in a hospital and we had a wide
0:20:33 > 0:20:37range of services, both administrative and clinical and
0:20:37 > 0:20:41clearly updating software in clinical areas it is important to
0:20:41 > 0:20:45make sure there are no unexpected consequences to the software or
0:20:45 > 0:20:50systems that are running. There is a challenge of trying to balance the
0:20:50 > 0:20:54technical risk of knowing there is a technical upgrade that we need to do
0:20:54 > 0:20:58against the clinical risks of patients as a result of potentially
0:20:58 > 0:21:04introducing something that may have an effect on a system or a device
0:21:04 > 0:21:09that is running. Continually rebalanced that. Within the royal
0:21:09 > 0:21:14free where I came from we had over 10,000 PCs and devices in the
0:21:14 > 0:21:17organisation, said these are large-scale organisations and it is
0:21:17 > 0:21:22not a trivial case of saying we can update all of these overnight. There
0:21:22 > 0:21:27is complexity in that area. To the point about medical devices,
0:21:27 > 0:21:33absolutely we face challenges and during the WannaCry tat we had
0:21:33 > 0:21:39diagnostic devices embedded that had not been patched. There are two
0:21:39 > 0:21:46things to say. One is we absolutely need to work more closely with
0:21:46 > 0:21:50software and device providers to make sure they are in a position
0:21:50 > 0:21:55that when patches come up that they are able to update their equipment,
0:21:55 > 0:22:00which is very sensitive medical equipment. We are talking about MRI
0:22:00 > 0:22:06scanners for example who are sensitive to changes. I would also
0:22:06 > 0:22:10say from an IT management perspective that there are ways of
0:22:10 > 0:22:15designing the infrastructure within an organisation to protect yourself,
0:22:15 > 0:22:24so in some organisations networks were effectively completely
0:22:24 > 0:22:27connected to everything else as opposed to separating some equipment
0:22:27 > 0:22:31of the network. There are ways of designing an environment to mitigate
0:22:31 > 0:22:37some of those risks. But it is a hugely complex area and I think we
0:22:37 > 0:22:42saw with WannaCry some of the challenges of managing these issues
0:22:42 > 0:22:50in these kinds of organisations.In terms of windows XP it is a good
0:22:50 > 0:22:56point. The operating system, especially written software, it
0:22:56 > 0:23:01could take years for that to be upgraded. We put some guidance out
0:23:01 > 0:23:05for how we segregate those because the key thing is taking it off the
0:23:05 > 0:23:09network and making sure it is isolated to if it is on something
0:23:09 > 0:23:14that has the potential to impact on other systems. We put guidance out
0:23:14 > 0:23:18how local organisations can help mitigate that. In the
0:23:18 > 0:23:22recommendations there are a number of things we could check and make
0:23:22 > 0:23:25sure medical devices are properly segregated. Your point on the
0:23:25 > 0:23:31suppliers is a good one. On the actual weekend we were inundated
0:23:31 > 0:23:35with suppliers saying, let us know what you want in terms of support
0:23:35 > 0:23:39and we will put boots on the ground and there was no question of money
0:23:39 > 0:23:44or anything like that. A number of the suppliers help out in terms of
0:23:44 > 0:23:47the remediation in some of the organisations. We worked with the
0:23:47 > 0:23:51National Cyber Security Centre because once the attack became an
0:23:51 > 0:23:59issue, antivirus providers had to quickly up their systems to prevent
0:23:59 > 0:24:02future attacks, which they did and they completed by the end of the
0:24:02 > 0:24:08weekend. Then you have got big systems integrators like EPI systems
0:24:08 > 0:24:15for major trusts. They cannot just a patch in isolation in one system.
0:24:15 > 0:24:20They do a patch across their entire estate and some of those will take
0:24:20 > 0:24:24time. It is incumbent on us to make sure that if it is a high threat, we
0:24:24 > 0:24:28proactively make sure that we do not wait until they are patched, we make
0:24:28 > 0:24:31sure they are carrying out the patching and we know where our
0:24:31 > 0:24:40vulnerabilities lie.Is there not a simple procurement point here? I am
0:24:40 > 0:24:45wondering if you are going to change your procurement processes so that
0:24:45 > 0:24:49all new equipment that is procured by your department should be
0:24:49 > 0:24:52procured on the basis that software will be supported throughout the
0:24:52 > 0:25:01life of that equipment?I will bring in will the moment. What we found on
0:25:01 > 0:25:06the back of the work done straight after the WannaCry attack was that
0:25:06 > 0:25:12even newly installed equipment systems often had, for example, XP
0:25:12 > 0:25:16is the embedded operating system and that emphasises the point that has
0:25:16 > 0:25:22been made that gaining the firewall right and system integrity is as
0:25:22 > 0:25:27important as the component where and over which we might not have direct
0:25:27 > 0:25:33control.If you adopted what I was saying, no manufacturer would be
0:25:33 > 0:25:36supplying equipment with XP on it because they would not be able to
0:25:36 > 0:25:43support it?I was going to set the point of clarification although it
0:25:43 > 0:25:50may be a point of additional confusion. Where XP is running
0:25:50 > 0:25:55embedded software, some of that is under support. The challenge back to
0:25:55 > 0:26:04the Windows seven challenge is not about support, it is about the
0:26:04 > 0:26:08challenges of upgrading that software safely and securely to
0:26:08 > 0:26:13protect patients from unintended harm as a result of the upgrade. For
0:26:13 > 0:26:17many of those devices they are under support and they are continually
0:26:17 > 0:26:25supported by the vendor.We can probably do more between our arms
0:26:25 > 0:26:29length bodies to support local organisations in procuring systems
0:26:29 > 0:26:32to make sure they get standard contract clauses to ensure they keep
0:26:32 > 0:26:38things within the existing up-to-date patch etc. That is
0:26:38 > 0:26:43something we can help with as part of the implementation of the report.
0:26:43 > 0:26:52There is a wider point prompted by your question. Cyber security is a
0:26:52 > 0:26:56whole culture that you would need to build into every decision you take
0:26:56 > 0:27:01as opposed to we bought a system, now how do we procure some cyber
0:27:01 > 0:27:13security to go with it? When we look at the trusts that were less
0:27:13 > 0:27:18affected as opposed to more effective, it seemed to be the ones
0:27:18 > 0:27:23that had the sort of wider governance, the wider board
0:27:23 > 0:27:25interest, the ones that have built cyber security into everything they
0:27:25 > 0:27:34do. You will have heard a lot about getting the basics right. Had you
0:27:34 > 0:27:37done your patching, had you done your backing up, had you
0:27:37 > 0:27:44isolated...? These are things which are hugely complicated things to
0:27:44 > 0:27:48think of. They can be complicated things to do, but there is an awful
0:27:48 > 0:27:53lot of this which is not about what the IT you need, but it is about the
0:27:53 > 0:28:00wider leadership and that is for all organisations up to national level.
0:28:00 > 0:28:09One of the other things we should bring out here is you should not
0:28:09 > 0:28:13always go to contract when you have a problem. When we are putting in
0:28:13 > 0:28:17systems that we oversee we do secure by design which means prior to
0:28:17 > 0:28:22anything going live we have got service acceptance criteria that
0:28:22 > 0:28:27says from a business and technical perspective, have they met the
0:28:27 > 0:28:31requirement that the business need? If we can get back right, it makes
0:28:31 > 0:28:35it easier in terms of some of the remediation because you know where
0:28:35 > 0:28:43your gaps are.Thank you.How certain are you that no harm was
0:28:43 > 0:28:48caused to any of the NHS England's patience as a result of the attack?
0:28:48 > 0:28:55No harm has been identified. We have a process for identifying incidents
0:28:55 > 0:29:01where our trusts report where those have arisen and as reported in the
0:29:01 > 0:29:07report that is the position that we are aware of. That is also true in
0:29:07 > 0:29:10Scotland and although we are principally concerned with England
0:29:10 > 0:29:16today, as I understand it 11 out of 14 Scottish health boards and the
0:29:16 > 0:29:23Scottish Ambulance Service were also affected.How long did it take for
0:29:23 > 0:29:25NHS England to reschedule all the cancelled and postponed
0:29:25 > 0:29:31appointments?NHS England itself does not do it, but that would have
0:29:31 > 0:29:40been within days of the original referrals. By way of context, one
0:29:40 > 0:29:44patient treatment deferred is one too many, but the NHS does look
0:29:44 > 0:29:55after 1 million people a day and the estimate is that that was 19,500 of
0:29:55 > 0:29:57those million appointments that may have been affected in terms of
0:29:57 > 0:30:01outpatient appointments. It is obviously regrettable, but a small
0:30:01 > 0:30:08proportion.Can you quantify the cost to the NHS from the cyber
0:30:08 > 0:30:11attack and the postponement of the appointments and all the overtime
0:30:11 > 0:30:17that had to be worked as a result? As the report says, we have not got
0:30:17 > 0:30:21a national estimate of that and I am not sure whether one has been
0:30:21 > 0:30:28compiled in Scotland either. But in effect a lot of people voluntarily
0:30:28 > 0:30:33went the extra mile to sort out the situation, not only for those of us
0:30:33 > 0:30:39who are involved and set the weekend and the following week, and I want
0:30:39 > 0:30:46to pay tribute to front-line IT staff, GP staff across hospital
0:30:46 > 0:30:50systems and international bodies who really did go that extra mile,
0:30:50 > 0:31:02obviously that is an inconvenience, but people put patients first.When
0:31:02 > 0:31:06you say voluntarily, did some people work unpaid overtime to help with
0:31:06 > 0:31:12the problem?For example, will spend the weekend Darren Berkshire helping
0:31:12 > 0:31:19them and many people did a lot to help out. It was remarkable that
0:31:19 > 0:31:23over the course of the weekend by the Sunday night an enormous
0:31:23 > 0:31:29programme had been put in place to sort out GP surgeries. Obviously
0:31:29 > 0:31:34coming online on Monday morning, I was at the GP surgery on Monday
0:31:34 > 0:31:37morning at half past seven to look directly at the issues were
0:31:37 > 0:31:41affecting patient care and there was mass mobilisation across the whole
0:31:41 > 0:31:49NHS that weekend.Your focus is on the health care rather than the cost
0:31:49 > 0:31:55aspect. But do you have any idea of how much overtime was accumulated
0:31:55 > 0:31:59during that period? It would give an approximate estimate.We do not and
0:31:59 > 0:32:11the report does not say there is a national measurement of that.Simon
0:32:11 > 0:32:18said generally people did what they needed to do just as extra. There
0:32:18 > 0:32:22would have been some overtime but at a national level you would not have
0:32:22 > 0:32:29seen any difference during a normal accounting period.How long is a
0:32:29 > 0:32:33piece of string question, but how much worse could this attack have
0:32:33 > 0:32:38been if it had not been during the quieter period of summer and if we
0:32:38 > 0:32:45had not had an IT expert that found the kill switch so quickly?I would
0:32:45 > 0:32:49not want to hazard a guess. We can be certain that it would have been
0:32:49 > 0:33:00worse. After the kill switch was found we were able to monitor local
0:33:00 > 0:33:13organisations, effectively culling the kill switch. The virus was on
0:33:13 > 0:33:19the device and it looked for the kill switch. 21 organisations culled
0:33:19 > 0:33:27the kill switch in that period. So in the worst-case 21 organisations
0:33:27 > 0:33:36may been impacted. Actually that Karl was to check that there was a
0:33:36 > 0:33:44network connection to the switch. It would have been worse we think, but
0:33:44 > 0:33:52I would be loath to put a figure on it.Can I return to the issue of
0:33:52 > 0:33:57cost. You have got quite precise numbers about the number of patients
0:33:57 > 0:34:00affected and likely follow up appointments that would have been
0:34:00 > 0:34:03cancelled, although it is harder for you to be more precise about some
0:34:03 > 0:34:09other aspects of the impact. Why has no assessment be made as to the
0:34:09 > 0:34:13overall cost? That figure would be helpful in understanding the impact
0:34:13 > 0:34:20this has had on the NHS.It is important to say we had a
0:34:20 > 0:34:29conversation with the fieldworkers. This data collection was to
0:34:29 > 0:34:33understand what the impact was and where the impact occurred so that we
0:34:33 > 0:34:37could manage it effectively to make sure resurfaces were directed to
0:34:37 > 0:34:44those pies of the NHS that require support. We did not set out to try
0:34:44 > 0:34:49and numerate all of the impact, all of the costs, because we were
0:34:49 > 0:34:53focused on resolving the incident. And then we did have a conversation
0:34:53 > 0:34:58with colleagues after the incident while the report was being developed
0:34:58 > 0:35:03as to whether we should do a separate data collection and we had
0:35:03 > 0:35:08a relatively robust discussion about it and the view that I gave was I
0:35:08 > 0:35:13did not believe that would help us understand what happened any better
0:35:13 > 0:35:17than we knew during the incident and I was not convinced it would change
0:35:17 > 0:35:22those things that we would do in the future to prevent an attack. That is
0:35:22 > 0:35:28why we do not have an answer to those questions.You rightly point
0:35:28 > 0:35:33out to patients the impact the impact it would have on the NHS, the
0:35:33 > 0:35:39financial impact when a patient fails to attend an appointment.
0:35:39 > 0:35:43Would it not be possible to have something similar here so we can get
0:35:43 > 0:35:50an impact on cyber security?The underlying point is that everyone
0:35:50 > 0:35:55can see that lots of things need to change and in the sense that
0:35:55 > 0:36:01argument has already been won. The fact that we are now explicitly
0:36:01 > 0:36:03changing the way in which our individual organisations get
0:36:03 > 0:36:10support, targeted investment outside the security, and that case has been
0:36:10 > 0:36:15understood.You do not think it would be helpful for organisation to
0:36:15 > 0:36:20understand there would be a cost for this?I think organisations would
0:36:20 > 0:36:26sigh a bit if we sent out a new set of forms for people to complete
0:36:26 > 0:36:33estimating what the marginal costs of an event last May would be. I do
0:36:33 > 0:36:35not think practically speaking it would affect the action that now
0:36:35 > 0:36:41needs to be, and is being, taken. But you are telling patients how
0:36:41 > 0:36:44much it costs when they miss an appointment. Is that a waste of
0:36:44 > 0:36:53time?
0:36:53 > 0:36:58That in itself would be very costly. Bit you frequently get reminders
0:36:58 > 0:37:03saying if you fail to attend an appointment this will cost the NHS
0:37:03 > 0:37:09£120. There are those figures as to around. That is an important driver
0:37:09 > 0:37:13in patient behaviour. Is it not helpful for organisations to
0:37:13 > 0:37:18understand that failing to act in making sure their cyber security
0:37:18 > 0:37:21responsibilities are being discharged comes with a financial
0:37:21 > 0:37:25cost as well ) yes, but I don't think that is the principal
0:37:25 > 0:37:34argument.I think the principal argument is about patient safety and
0:37:34 > 0:37:39the continuity of care that we can offer. WannaCry was the first act of
0:37:39 > 0:37:44its kind on health and care system. We were not the only organisation by
0:37:44 > 0:37:51any means affected around the world. The German role ways, the Russian
0:37:51 > 0:37:55interior ministry, Nissan, Renault, various others were also affected --
0:37:55 > 0:37:59the German railways. It was the impetus for change and improvement
0:37:59 > 0:38:04right across the health service regardless.To add to that, I don't
0:38:04 > 0:38:11think we have got any evidence that anyone in the NHS was not taking
0:38:11 > 0:38:18this seriously. If you referred to what the CQC and the national data
0:38:18 > 0:38:22Guardian said in 2016, one of their quotes was there was evident
0:38:22 > 0:38:31widespread commitment to data security and staff facing a
0:38:31 > 0:38:35challenge in translating the commitment into practice. I don't
0:38:35 > 0:38:41think our challenge was persuading people in the NHS with data security
0:38:41 > 0:38:44is important. Certainly post WannaCry I don't think there is
0:38:44 > 0:38:48anyone in the NHS who would be saying that. I don't think we do
0:38:48 > 0:38:54need to prove to be taking this seriously, it is equipping people
0:38:54 > 0:38:59with the tools to turn that into positive action of the type that Rob
0:38:59 > 0:39:03and Will have been describing. Understand the point you're making
0:39:03 > 0:39:09but the same could be said of a number of other things. It is
0:39:09 > 0:39:14helpful for us to understand. No one sets out to have a cyber attack
0:39:14 > 0:39:17where there is an inadequate response or people are not fully
0:39:17 > 0:39:20prepared but there are good intentions and then making sure you
0:39:20 > 0:39:24have done what you need to do to set it right.And we agree with that.
0:39:24 > 0:39:31And a number of things we have set in place are about ensuring that
0:39:31 > 0:39:34compliance of things that NHS digital send out and others are
0:39:34 > 0:39:41exactly the region that you save. On the straight costing question, the
0:39:41 > 0:39:46truth is, it does not fall out of the data we regularly collect from
0:39:46 > 0:39:53trusts and others. Other than the very macrolevel described earlier,
0:39:53 > 0:39:57we would need to get an accurate number and do an entirely separate
0:39:57 > 0:40:02data collection which places burdens all the way through the system, and
0:40:02 > 0:40:10for the reasons Will explained, we do not see doing a specific data
0:40:10 > 0:40:14collection as a particularly positive thing. Now, that is clearly
0:40:14 > 0:40:17a debatable position. I think the National Audit Office would probably
0:40:17 > 0:40:22have taken a different decision but that is the decision that was taken.
0:40:22 > 0:40:28Ideally, we would have a number but we don't.I agree with exactly what
0:40:28 > 0:40:31Chris and Simon has said. Looking back would not give off any help at
0:40:31 > 0:40:35all. If I was ICT director in a local trust, I would want to have
0:40:35 > 0:40:40some idea that if this happens again, in terms of how can I make a
0:40:40 > 0:40:43compelling argument that we should be investing insider security, and
0:40:43 > 0:40:47one of the way they would do that is how much it costs in terms of
0:40:47 > 0:40:52remediation. How do you balance the risk of prevention in terms of
0:40:52 > 0:41:03remediation? Looking
0:41:04 > 0:41:06backward not help. Even if organisations were able to say this
0:41:06 > 0:41:09is the rough order of magnitude for an attack, it helps build their case
0:41:09 > 0:41:11for what they should be spending on defences.Just to supplement what
0:41:11 > 0:41:15he's saying, it would help accountability. It is quite
0:41:15 > 0:41:19convenient that it is proven not to be practical among other things
0:41:19 > 0:41:23which are practical. And they'll slow think with this list of
0:41:23 > 0:41:27initiatives we have here, there are a couple of one-off numbers
0:41:27 > 0:41:36associated, but not a proper costing on what it is going to cost and is
0:41:36 > 0:41:38that a practical number in context of the pressures on the NHS budget.
0:41:38 > 0:41:40It is not old-fashioned or retrospective to say when these
0:41:40 > 0:41:44things happen, it is part of assessing the seriousness of the
0:41:44 > 0:41:48event in terms of the accountability of parliament, or practicalities of
0:41:48 > 0:41:53the forward plan, to understand to the best of the NHS's ability what
0:41:53 > 0:41:58are the costs are that are concerned. I do think that is
0:41:58 > 0:42:02terribly, no one is suggesting a retrospective thing now or
0:42:02 > 0:42:07exaggerating, it is normal accountability. Do you think that is
0:42:07 > 0:42:14-- I don't think that is a bridge too far personally.Since there were
0:42:14 > 0:42:18clearly strongly held opinions on this matter, I am quite happy to go
0:42:18 > 0:42:24and look again at whether there is some way of coming to a global
0:42:24 > 0:42:30number. I don't think it would be an audible number -- and auditable
0:42:30 > 0:42:35number that you would expect. I'm quite happy to go and look again at
0:42:35 > 0:42:42that.We will face up to the technical challenges!As I say, if
0:42:42 > 0:42:47there is some way we can manipulate existing data to give ourselves a
0:42:47 > 0:42:52global sum then I can see that. What we don't want to do for reasons that
0:42:52 > 0:42:58Simon was explaining is to go back to people who take this very
0:42:58 > 0:43:03seriously and could do a further burden.At this point, can one of
0:43:03 > 0:43:07you clarify to us for this committee, exactly what resources
0:43:07 > 0:43:16are being devoted to decide the issue? Because we have had the whole
0:43:16 > 0:43:21idea of transferring money from the capital budget to the revenue
0:43:21 > 0:43:25budget, perhaps you can clarify for us, what resources you are now
0:43:25 > 0:43:36devoting to the cyber problem within the NHS?With national spend is
0:43:36 > 0:43:41divided between what we basically allocate to IT nationally and what
0:43:41 > 0:43:45trusts and others choose to spend themselves? Over a Spending Review
0:43:45 > 0:43:55period from 2015 to 2020, we have allocated I think 4.2 billion to IT
0:43:55 > 0:44:01programmes. Our cyber security investment comes nationally and I
0:44:01 > 0:44:05keep emphasising there is a national bit and a local bit and that comes
0:44:05 > 0:44:09out of that 4.2. The original allocation directly to cyber
0:44:09 > 0:44:16security in that was £50 million. That was supplemented by an
0:44:16 > 0:44:23additional 21 million immediately after WannaCry, namely to deal with
0:44:23 > 0:44:30systems and infrastructure issues. Then, as a part of the
0:44:30 > 0:44:35reprioritisation we have done since WannaCry, we have allocated a
0:44:35 > 0:44:41further 25 million this financial year, and then 150 million over the
0:44:41 > 0:44:47following financial years. That is our direct spend on cyber security.
0:44:47 > 0:44:51It is very difficult to get to a number of what you spend on cyber
0:44:51 > 0:44:56security, for some of the reasons you were stating earlier. When you
0:44:56 > 0:45:00upgrade your systems you enhance your cyber security and it is
0:45:00 > 0:45:04frequently better to upgrade your systems than to spend a specific
0:45:04 > 0:45:08amount on cyber. A lot of the other spending on IT will be contributing
0:45:08 > 0:45:14to cyber security but those are our direct investments.Can we assume
0:45:14 > 0:45:21from that answer, that from the report that Mr Smart has produced
0:45:21 > 0:45:26with 22 recommendations, that there will be sufficient funds to
0:45:26 > 0:45:29implement his recommendations?What we have said and I hope this is
0:45:29 > 0:45:34clear in what we published, is that we have re-prioritised the 25
0:45:34 > 0:45:38million we are going to spend this year and the 150 million as the
0:45:38 > 0:45:45initial amounts that we will spend on implementing all this, we will
0:45:45 > 0:45:52keep that amount under review, both in terms of how we are getting on
0:45:52 > 0:45:57with implementing what Will has recommended, and of course, the
0:45:57 > 0:46:03assessment of the evolving threat. I know that doesn't sound very clear,
0:46:03 > 0:46:10but it is at the heart of our challenge here, that this is not a
0:46:10 > 0:46:16static issue with our friends in the National Cyber Security Centre, we
0:46:16 > 0:46:22are constantly monitoring for what the next threat of -- set of threats
0:46:22 > 0:46:25are and trying to stay one step ahead of the people who are playing
0:46:25 > 0:46:30games with us. We are looking at what have they just done, where have
0:46:30 > 0:46:34they blocked a potential problem and where can we go that they have not
0:46:34 > 0:46:37thought of next? Those are the initial investments we have made but
0:46:37 > 0:46:42we will keep that amount under review. Things I should add, as we
0:46:42 > 0:46:50have already I hope has become clear, loss of these things are not
0:46:50 > 0:46:54about money. They are about culture and practice and systems, though
0:46:54 > 0:47:03money is of course important. And individual trusts, and indeed other
0:47:03 > 0:47:06institutions in the NHS are responsible for their own cyber
0:47:06 > 0:47:11security and need to be investing their own money in it. So we're not
0:47:11 > 0:47:17saying that what we have announced there is the sum total of what needs
0:47:17 > 0:47:24to be to protect the NHS, we spend money nationally on things that go
0:47:24 > 0:47:29beyond the individual institutions like the NHS spine, things where
0:47:29 > 0:47:34there is a clear economy of scale, where we can do it on the half of
0:47:34 > 0:47:45the system, and things where we are helping to create the framework in
0:47:45 > 0:47:52which the rest of the NHS can operate well, like those things
0:47:52 > 0:47:58which can give advice. That is what we allocate central money to.
0:47:58 > 0:48:05Resources for the defence of an individual trust or an individual GP
0:48:05 > 0:48:09come out of their resources rather than hours. So it is a complicated
0:48:09 > 0:48:13picture, but we try to keep that distinction between what it is right
0:48:13 > 0:48:18to spend nationally, and what it is right to leave to local trust boards
0:48:18 > 0:48:27to deal with their own circumstances.One thing that really
0:48:27 > 0:48:32concerns me, and it comes back to my first words I think at the beginning
0:48:32 > 0:48:36of this session is your department has now been given additional
0:48:36 > 0:48:40responsibilities for the social care sector. I am very concerned, given
0:48:40 > 0:48:45its diffuse nature about a cyber attack on the social care system, if
0:48:45 > 0:48:50we had large numbers of care homes, for example, not being able to
0:48:50 > 0:48:55operate because they were attacked by a cyber attack, are you looking
0:48:55 > 0:49:01at that whole aspect?We have always had the responsibility for cyber
0:49:01 > 0:49:06security and social care, and that is not something that is transferred
0:49:06 > 0:49:15in with the new name. I will leave Will to say in that -- to say little
0:49:15 > 0:49:22more. One question, is this technology dependent than a trust
0:49:22 > 0:49:26hospital is? I would say it is much more difficult to defend because of
0:49:26 > 0:49:35its very dicey 's nature as you say. -- diffuse nature. But the nature of
0:49:35 > 0:49:41threat is probably less because it is less on high-end IT and
0:49:41 > 0:49:46diagnostics to run its day-to-day business. Will, you looked at some
0:49:46 > 0:49:52of these questions.We know the NHS is made up of a large number of
0:49:52 > 0:49:57independent organisations, 8000 GP practices and hospital trusts. There
0:49:57 > 0:50:03are 20,000 providers of social care across England, and they range from
0:50:03 > 0:50:09small single organisations through to large groups so we know we have a
0:50:09 > 0:50:14real challenge. We are chilly have, following WannaCry, not very much
0:50:14 > 0:50:19evidence about how WannaCry implicated social care and one of
0:50:19 > 0:50:24the recommendations in my report is about actually commissioning
0:50:24 > 0:50:29research to better understand both the cyber security stance of social
0:50:29 > 0:50:33care, but more importantly, to identify what are the right levels
0:50:33 > 0:50:38of protections that need to be in place in social care, because I
0:50:38 > 0:50:46think I know that we don't know that very well. That said, health was
0:50:46 > 0:50:52particularly impacted by WannaCry because of the National NHS network
0:50:52 > 0:50:55which connects every NHS organisation together. That was, I
0:50:55 > 0:51:01think to the best of our knowledge, Rob can confirm the route of
0:51:01 > 0:51:04transmission of WannaCry, those 20,000 social care organisations in
0:51:04 > 0:51:07general are not connected to that network so in some sense that
0:51:07 > 0:51:12provides some isolation. Local government organisations which was
0:51:12 > 0:51:19picked up in the NA oh report, no local authority was affected by
0:51:19 > 0:51:25WannaCry and therefore the impact on that part of the social care network
0:51:25 > 0:51:32was more to do with challenges around sharing data between health
0:51:32 > 0:51:35and social care, the interface, so we do need to do more work. We
0:51:35 > 0:51:43recognise it and I hope we would come back with more detail.
0:51:43 > 0:51:48Could you tell us, you are moving away from the Internet system into
0:51:48 > 0:51:58the NHS e-mail system. What is the timetable for that?We are moving
0:51:58 > 0:52:02away from an three, which is the current network that is provided by
0:52:02 > 0:52:07BT. There will be a transition network that is available whilst
0:52:07 > 0:52:12organisations are able to migrate onto the new health and social care
0:52:12 > 0:52:16network. As more organisations move away from that, what that does is,
0:52:16 > 0:52:22it is a single entity and the health and social care network is a number
0:52:22 > 0:52:25of providers providing the service, said that will make it easier for us
0:52:25 > 0:52:29if we got to the situation where we had a mass attack because it would
0:52:29 > 0:52:33not attack everybody. Those transfers will happen over the next
0:52:33 > 0:52:38couple of years.What is the timetable before that transformation
0:52:38 > 0:52:48will be complete?Two or three years. A lot of it is the speed of
0:52:48 > 0:52:53how long organisations take to migrate. The first set of
0:52:53 > 0:52:56organisations have migrated onto the health and social care network and
0:52:56 > 0:53:01we have a number of providers supplying those services. We need to
0:53:01 > 0:53:05make sure we do not end up with a long tail and we keep the transition
0:53:05 > 0:53:09network going for a longer period because organisations are moving
0:53:09 > 0:53:13across. There will be incentives and making sure that people do not
0:53:13 > 0:53:18languish and become the last ones in moving across.In terms of the
0:53:18 > 0:53:24response to the attack, can I ask first of all why the plan had not
0:53:24 > 0:53:32been tested for a response to a cyber attack?We had a plan to test.
0:53:32 > 0:53:41It was purely timing. We had in place plans to test and WannaCry
0:53:41 > 0:53:47hits before we had a chat to do it. Who was responsible overall for
0:53:47 > 0:53:57leading the response?At which point?In terms of my understanding
0:53:57 > 0:54:04of the response to WannaCry. Who is responsible?On Friday the 12th we
0:54:04 > 0:54:08decided during the course of the day when it became apparent the nature
0:54:08 > 0:54:13of the attack, that we would manage this through the emergency
0:54:13 > 0:54:15preparedness and response EPR arrangements that we use for any
0:54:15 > 0:54:22major attack across the NHS. At that point the NHS in London stepped up
0:54:22 > 0:54:28with our partners around the table here to run that. Since then we have
0:54:28 > 0:54:36now done a dry run through the kind of scenarios that we would expect in
0:54:36 > 0:54:45future tax and we now have a clear IT specific cyber operating plan
0:54:45 > 0:54:51that would kick in in the event of a similar type of event in the future.
0:54:51 > 0:54:58That was not in place then?That was one of the things that came out of
0:54:58 > 0:55:05WannaCry and some of the actions that have been taken, yes.The NHS
0:55:05 > 0:55:19emergency response system is tested and it performs as it always does,
0:55:19 > 0:55:32excellently. I admit we could have been slicker and there were some
0:55:32 > 0:55:40things that we presumed different about a cyber attack than other
0:55:40 > 0:55:51types of incident. But the plan did basically work. The issues were
0:55:51 > 0:55:56before. You see this in loss of crisis situations. One of the
0:55:56 > 0:56:04biggest issues is when do you call it? When something is happening in a
0:56:04 > 0:56:11couple of hospitals is reported when the tip over to be a major incident?
0:56:11 > 0:56:18When do you put the machinery in place? That is always an issue.Can
0:56:18 > 0:56:22I challenge the assertion that it did work. It worked with a bit of
0:56:22 > 0:56:30luck, the plan, didn't it? The kill switch came in and help do, but
0:56:30 > 0:56:34people did not know how to communicate with your department and
0:56:34 > 0:56:41the organisations. They had to use mobile phones or whatever. I do not
0:56:41 > 0:56:47know if that particular document, for obvious reasons it is it not in
0:56:47 > 0:56:50the public domain, but can you assure us if a future incident
0:56:50 > 0:56:54happens that people would know how to communicate with your department
0:56:54 > 0:57:01and organisation and there is a set protocol for doing so?That is the
0:57:01 > 0:57:06situation that arose that weekend and arrangements have been put in
0:57:06 > 0:57:09place subsequently to deal with that. I don't know how much you want
0:57:09 > 0:57:15us to say.I do not want you to give anything away. Presumably the
0:57:15 > 0:57:25document is confidential.Aspects of it are public.I would say that NHS
0:57:25 > 0:57:29digital colleagues have put in place a mechanism to communicate directly
0:57:29 > 0:57:36across the service. Across the NHS a tremendous amount of work has been
0:57:36 > 0:57:43done about joining up networks and they have created weekly text alerts
0:57:43 > 0:57:49that connects to every CIO and service to provide that
0:57:49 > 0:57:53communication. We have learned the lessons we need for multiple
0:57:53 > 0:58:01communication channels to be in place and I hope we do not need to
0:58:01 > 0:58:08use it for a long time.The communications system that was in
0:58:08 > 0:58:14place for EDI systems which worked with individual trusts did work. One
0:58:14 > 0:58:18of the things we learned from the incident is you need a wider range
0:58:18 > 0:58:23of people to communicate with. It is not that the plans in place did not
0:58:23 > 0:58:30work, they did, it is that you need more than that.I am grateful for
0:58:30 > 0:58:38the clarification.Regardless of where you are in the country, there
0:58:38 > 0:58:43would be an understanding of where to come in the event of a cyber
0:58:43 > 0:58:47attack? People on the ground would know who to come to and have quickly
0:58:47 > 0:58:53to do that? They would know where their responsibilities lie?We are
0:58:53 > 0:58:57very clear that if there was a suspicion in any organisation that
0:58:57 > 0:59:03there may be a cyber attack, the first port of call is the NHS
0:59:03 > 0:59:07digital security operations centre. NHS Digital will assess the risk and
0:59:07 > 0:59:15within an hour of an initial contact with NHS Digital, they will have a
0:59:15 > 0:59:23discussion and I will take the decision as to how we deal with it
0:59:23 > 0:59:31and we have a process to proactively manage that.Had GDR been in place,
0:59:31 > 0:59:38how ready would it have been able to respond in a timely fashion to the
0:59:38 > 0:59:46data breaches?The NHS already has a history, we report breaches, we have
0:59:46 > 0:59:51been transparent about that. I do not think GDR impact the way we
0:59:51 > 0:59:56report those preachers.Do you think the NHS and its constituent parts
0:59:56 > 1:00:03are ready for GDR in the broadest sense? Is there an understanding
1:00:03 > 1:00:12about what needs to be done? Certainly in our organisation we
1:00:12 > 1:00:17have got a full programme to become compliant and with the type of
1:00:17 > 1:00:21organisation we are you would expect that is the case. We have had our
1:00:21 > 1:00:25internal audit group come in and look at where we are early in the
1:00:25 > 1:00:28year and we have a follow up in April to make sure we have a strong
1:00:28 > 1:00:34plan to become compliant with GDP are. Local organisations will be
1:00:34 > 1:00:37doing their own planning. There is no central oversight in terms of
1:00:37 > 1:00:43whether they are on track to do that. But the IT Toolkit that used
1:00:43 > 1:00:48to put a lot of guidance out about data protection has been replaced.
1:00:48 > 1:00:58It was another recommendation in the review because before it was a tick
1:00:58 > 1:01:02box exercise that the Toolkit became, so we have made it more into
1:01:02 > 1:01:07a data security protection Toolkit to give local organisations more
1:01:07 > 1:01:12information. It is a lighter touch but the modules in their give more
1:01:12 > 1:01:19guidance around Dame Fiona Caldicot's principles around the
1:01:19 > 1:01:22Data Protection Act. It gives staff up-to-date tools because we need to
1:01:22 > 1:01:27explain to people about things like fishing attacks and how you keep
1:01:27 > 1:01:31safe online and how you make sure you do not fall for e-mail scams. As
1:01:31 > 1:01:39part of the readiness to help with the system we have made sure we are
1:01:39 > 1:01:42updating the data security protection Toolkit so they can
1:01:42 > 1:01:47update more support for our organisations that want to move
1:01:47 > 1:01:59towards compliance.The board is accountable for these issues and
1:01:59 > 1:02:04they will be ensuring that the board are aware of the risks to the
1:02:04 > 1:02:15information governance Alliance, a coalition which will be publishing
1:02:15 > 1:02:17information for those organisations to ensure they are as informed as
1:02:17 > 1:02:31they can be as to what the regulations are. If GDPR had been in
1:02:31 > 1:02:35place, would there be any extra responsibilities upon you as to the
1:02:35 > 1:02:42reporting in place?I am not sure. Where does cyber security rank
1:02:42 > 1:02:48alongside your many various priorities?It is one of our top
1:02:48 > 1:02:56risks and these are managed as such. Actually it is an area where the
1:02:56 > 1:03:05Department takes a more active role in the setting of the work and the
1:03:05 > 1:03:12management of it mainly because of its cross government nature. And
1:03:12 > 1:03:21because we are also interfacing with the cyber Security Centre and
1:03:21 > 1:03:30others, so we are...Do you think the chain of events leading to the
1:03:30 > 1:03:34WannaCry attack would demonstrate that it is up there as one of your
1:03:34 > 1:03:37top priorities? Do you think the evidence in the run-up to the
1:03:37 > 1:03:43WannaCry attack would demonstrate that it is a key priority?In terms
1:03:43 > 1:03:53of priority, yes. In the two reports that were referred to earlier, my
1:03:53 > 1:03:58predecessor as permanent Secretary one of the last things she did was
1:03:58 > 1:04:07to review governance of IT including the security governance and she put
1:04:07 > 1:04:14in a new structure, including the role that we would play which is
1:04:14 > 1:04:21looking across on behalf of all of us the digital and IT issues. I do
1:04:21 > 1:04:29not think it is the case that there was a lack of priority. With
1:04:29 > 1:04:34hindsight looking at WannaCry would it have been even better if those
1:04:34 > 1:04:42things had started earlier? Of course, yes. But certainly since
1:04:42 > 1:04:532015 when our national approach on cyber security began I do not think
1:04:53 > 1:05:00there is a lack of priority. But we have a huge amount to learn.You are
1:05:00 > 1:05:04right to say with the benefit of hindsight, but was it not the case
1:05:04 > 1:05:08that you were lucky this time because of the timing of the attack,
1:05:08 > 1:05:11the kill switch, it was Friday afternoon, it was not in the middle
1:05:11 > 1:05:16of winter? Had any of those factors come at different points, the
1:05:16 > 1:05:22outcome might not have been so positive?
1:05:23 > 1:05:30We have discussed a number of those things as we have gone along.
1:05:30 > 1:05:34Clearly, if this had happened at a time when the NHS was on the
1:05:34 > 1:05:39pressure for other reasons, such as winter, clearly this would have
1:05:39 > 1:05:49multiplied the effect. As Simon explained earlier, nationally it is
1:05:49 > 1:05:53quite a small percentage of NHS procedures which were affected,
1:05:53 > 1:06:02somewhere around 1%. Clearly, if you put that on top of a point where we
1:06:02 > 1:06:05were having problems for other reasons, that would have a big
1:06:05 > 1:06:15effect. On the kill switch, I discussed this with my colleagues at
1:06:15 > 1:06:28the National Cyber Security Centre, there is clearly some luck in terms
1:06:28 > 1:06:33of whether somebody find a mitigation. What happens in these
1:06:33 > 1:06:38cases is as soon as you get an attack, a large number of people
1:06:38 > 1:06:42both the public in private sector -- across both the public and private
1:06:42 > 1:06:49sector, look for tech mitigation and hopefully someone finds one. At
1:06:49 > 1:06:55which point, everybody else stops, as it were. So you clearly could
1:06:55 > 1:06:59have a scenario where none of those people find something. So we were
1:06:59 > 1:07:04lucky in a sense that somebody did, but it is not the case that there
1:07:04 > 1:07:09was only one person looking etc. As it happens, that individual found
1:07:09 > 1:07:16one and did so quite quickly and that clearly mitigated the effect.
1:07:16 > 1:07:23But there is some science as well as some luck involved involved in those
1:07:23 > 1:07:33processes.The kill switch as well, as said earlier, there were 150
1:07:33 > 1:07:37countries impacted by this. The way National cyber Security works,
1:07:37 > 1:07:41whoever finds the kill switch, the key thing is it is broadcast as
1:07:41 > 1:07:46quickly as possible. The fact that it was found by somebody in this
1:07:46 > 1:07:50country, we had already unpicked the code, it could have been an hour
1:07:50 > 1:07:54later or a day later, but we have to make sure our agreements with the
1:07:54 > 1:07:58other countries, whoever finds the kill switch, the key thing is
1:07:58 > 1:08:02communicating that quickly so you can enact it and reduce the impact
1:08:02 > 1:08:05of the attack.I understand what you're saying, but in the event that
1:08:05 > 1:08:10it had taken longer or it had not happened, what could have been done
1:08:10 > 1:08:18to try and mitigate the impact of the ongoing attack?I think in terms
1:08:18 > 1:08:26of what was happening, I think the command and control were in position
1:08:26 > 1:08:30and NHS England worked really well. Simon Weldon said where he wanted
1:08:30 > 1:08:35bits on the ground. All of that was positive and it was a learning
1:08:35 > 1:08:40experience as well. What I would say is if that had not happened there
1:08:40 > 1:08:42would be more business continuity planning which needed to be taken
1:08:42 > 1:08:49into account. There could have been more organisations in active but we
1:08:49 > 1:08:55knew what the impact would be by then. What this was doing was was
1:08:55 > 1:09:00locking out systems. We knew once it had locked those systems, it was not
1:09:00 > 1:09:04changing data. What it was doing was blocking it. So business continuity
1:09:04 > 1:09:09planning kicked in and worked really well in the NHS.I would like to add
1:09:09 > 1:09:15that the kill switch was not the only thing going on to mitigate the
1:09:15 > 1:09:19effect for organisations. Every NHS organisation up and down the
1:09:19 > 1:09:25country, IT engineers were working in the server farms, in the network
1:09:25 > 1:09:37areas, on the PCs to isolate and make sure everything possible was
1:09:37 > 1:09:42done. I do organisations were taking steps to protect themselves. We
1:09:42 > 1:09:45cannot say what the impact would have been if the kill switch was not
1:09:45 > 1:09:50found but we do action was taken locally and that was having some
1:09:50 > 1:09:59preventable effect on the spread. Suppliers had updated their products
1:09:59 > 1:10:04to stop that attack from happening. Over the weekend, the fact they had
1:10:04 > 1:10:07taken their product, uplifted it so it was no longer a vulnerability
1:10:07 > 1:10:12that could be exploited, the number of organisations that could be
1:10:12 > 1:10:17impacted would be reduced as long as they had antivirus in place.Turning
1:10:17 > 1:10:25to the review, can I ask what the Mac and motivation -- can I ask what
1:10:25 > 1:10:32the mechanism for lamenting that would be?I presented a report. We
1:10:32 > 1:10:38will read over the coming weeks the recommendations and they will no
1:10:38 > 1:10:44doubt accept, reject or amend those recommendations so we have a period
1:10:44 > 1:10:50of dialogue to go through.Yes, we will be using the existing
1:10:50 > 1:10:58government mechanisms we used to manage our IT investments and data
1:10:58 > 1:11:08security detectors forward. It is a complicated picture. It does involve
1:11:08 > 1:11:10multiple organisations even at national level and a lot of the
1:11:10 > 1:11:15impairment nation needs to be done hopefully by individual trusts and
1:11:15 > 1:11:20others. I don't want to downplay the complications but we do think we
1:11:20 > 1:11:30have a good structure now for bringing together the key players in
1:11:30 > 1:11:35the NHS, and coming to a single agreement, and it is that board that
1:11:35 > 1:11:42does so.Mr Smart, of your 22 priorities, are there some you would
1:11:42 > 1:11:45draw attention to and say that if you had to pick out a number, these
1:11:45 > 1:11:48are the areas of the greatest importance which would have the
1:11:48 > 1:11:57biggest impact?I would obviously say all 22 are critically important.
1:11:57 > 1:12:02If I were to summarise, leadership is a really critical issue here. We
1:12:02 > 1:12:06need boards to being gauged in the cyber agenda and we need to make
1:12:06 > 1:12:12sure that there is appropriate governance within organisations to
1:12:12 > 1:12:16enable clinical risk and technology risk and operational risk to be
1:12:16 > 1:12:20properly managed in the organisation. One of my mantras over
1:12:20 > 1:12:25the past month has been the boards really need to be owning this agenda
1:12:25 > 1:12:30and driving it within the organisation. That is probably one.
1:12:30 > 1:12:33The second area, my first four recommendations are around
1:12:33 > 1:12:38standards. I have worked in local organisations and I have done my
1:12:38 > 1:12:43best to ignore everything that NHS England and Improvement have told me
1:12:43 > 1:12:50that that time. But we absolutely need to step up and be clearer what
1:12:50 > 1:12:55good looks like and what the standards I like. So the standards
1:12:55 > 1:13:02around action plans to implement cyber are a plus. But also a
1:13:02 > 1:13:05recommendation as well, about being clear about what technology and
1:13:05 > 1:13:08technical standards need to be in place with organisations I think is
1:13:08 > 1:13:14really important. And then maybe thirdly, rather than going through
1:13:14 > 1:13:20everyone, what we saw I think in the WannaCry attack was an environment
1:13:20 > 1:13:23which was probably much more connected in health care than I
1:13:23 > 1:13:28think many of us give health care credit for. We saw, vertically when
1:13:28 > 1:13:33we looked at the 46 affected organisations, that those which did
1:13:33 > 1:13:36not have WannaCry infection but were impacted as a result of decisions
1:13:36 > 1:13:42being taken by others to protect themselves, that we have a very
1:13:42 > 1:13:48interconnected NHS. So the recommendations around looking at
1:13:48 > 1:13:52business continuity plans beyond the boundaries of your own organisation,
1:13:52 > 1:13:55to understand who you are connected to, what the impact of decisions
1:13:55 > 1:14:00that you will take on others and the decisions that they take on your
1:14:00 > 1:14:03organisation I think is critical to insuring that short period of time,
1:14:03 > 1:14:08when we have an incident emerging that we can be confident the right
1:14:08 > 1:14:14decisions are being taken.Which comes on to recommendation 15 which
1:14:14 > 1:14:18talks about NHS digital having the ability to isolate organisations,
1:14:18 > 1:14:23parts of the country with particular services in order to contain the
1:14:23 > 1:14:27spread of a virus during an incident. I want to ask how
1:14:27 > 1:14:32impractical terms that would work? So I think Rob and I had a long
1:14:32 > 1:14:35conversation about this this morning. I think it goes back to the
1:14:35 > 1:14:40point I made about business continuity. This is not something
1:14:40 > 1:14:45where we say we are about to switch off large parts of the network, it
1:14:45 > 1:14:48is particularly where together with the local communities and
1:14:48 > 1:14:52organisations, there is an emerging threat within an organisation that
1:14:52 > 1:14:57we take an decision to isolate. Preventative, I think there is a lot
1:14:57 > 1:15:02of work we need to do to make it an option which is safe and practical
1:15:02 > 1:15:08and it would not be something we would do lightly.Just to add to
1:15:08 > 1:15:12that, going back to a provider which was badly affected at the time, it
1:15:12 > 1:15:16has been really interesting to see how boards have embraced this. I
1:15:16 > 1:15:20think boards have learned a lot, they understand their exposure,
1:15:20 > 1:15:24their interconnections on a regional and national level. You can see an
1:15:24 > 1:15:29awful board activity about risk. None of these things are risk-free.
1:15:29 > 1:15:33There is a danger that people think this is the only risk we have to
1:15:33 > 1:15:44deal with. Simple things like maintaining a CT scan not risk-free.
1:15:44 > 1:15:47Often you get simple routine maintenance and then spent several
1:15:47 > 1:15:49days getting the machine fully up and running again. I think one of
1:15:49 > 1:15:56the benefits is it has made board is much more aware of their
1:15:56 > 1:16:00vulnerabilities and this all cannot sit at a national level. It is very
1:16:00 > 1:16:03much knowing what your own risk far, how you're connected in regional
1:16:03 > 1:16:08systems and how you respond and help each other out at this time.Sir
1:16:08 > 1:16:12Chris, do we know how much these recommendations will cost and is the
1:16:12 > 1:16:16money there to deliver on them in full if that is what the department
1:16:16 > 1:16:24decides?Not precisely, no. We have made an initial reprioritisation of
1:16:24 > 1:16:27150 million to this, but for some of the reasons I explained earlier, we
1:16:27 > 1:16:34will keep that under review. As I say, this is one of the things that
1:16:34 > 1:16:40are taking forward Will's report, the digital delivery board will
1:16:40 > 1:16:46consider which overlooks the entire programme of 4.2 billion across the
1:16:46 > 1:16:53Spending Review. We have not tried to cost individually the individual
1:16:53 > 1:16:59recommendations, we have made an initial investment on resources. We
1:16:59 > 1:17:02will keep that under review and we will take the advice of the delivery
1:17:02 > 1:17:07board about where we need to go in the future.What is more difficult
1:17:07 > 1:17:11to engage as we know there will be costs involved with implement in the
1:17:11 > 1:17:14costs of the review, but we do not know what the unspecified or
1:17:14 > 1:17:21undetermined costs of what an attack of greater magnitude could be so
1:17:21 > 1:17:23this may involve significant spending but it could in the long
1:17:23 > 1:17:27run be not only the right thing to do in terms of patient safety but
1:17:27 > 1:17:30save the NHS a lot of money in the event that a more serious attack
1:17:30 > 1:17:40were to occur?Yes, but all these questions are difficult issues of
1:17:40 > 1:17:48the balancing of risk. We were discussing some of this outside. The
1:17:48 > 1:17:52way to best make yourself secure against cyber attack is to turn
1:17:52 > 1:17:59everything off, with obvious consequences for patients and
1:17:59 > 1:18:04others. Likewise, it is possible to spend considerable sums of money,
1:18:04 > 1:18:11and still be vulnerable to attacks and when you look at attacks across
1:18:11 > 1:18:17the board, it has included organisations that spend huge sums
1:18:17 > 1:18:26of money. So the question of investing wisely is probably more
1:18:26 > 1:18:31important here than the actual quantum, and some of the other
1:18:31 > 1:18:38issues that Will was picking out about culture and cyber security are
1:18:38 > 1:18:46again probably more important than the quantum here. There are clearly
1:18:46 > 1:18:55investment questions here which is why we have made reprioritisation
1:18:55 > 1:19:01but you can spend enormous sums of money and not be secure.Can I add
1:19:01 > 1:19:07as well but we have got to make sure that we future proof this. What we
1:19:07 > 1:19:11cannot do is throw public money and say we will protect now but we are
1:19:11 > 1:19:15protecting against the past. We have to make sure that we have a
1:19:15 > 1:19:19well-balanced risk. It is all but learned protection. We can say we
1:19:19 > 1:19:22are doing something at the front door but someone is climbing through
1:19:22 > 1:19:26your back window at same time. You have to make sure that as you peel
1:19:26 > 1:19:30back then onion that you have different layers of protection and
1:19:30 > 1:19:36NHS digital should hopefully with the money that has been allocated,
1:19:36 > 1:19:41do something to reduce the systemic risk. It does not make sense for
1:19:41 > 1:19:45each organisation to monitor organisations at its perimeter. The
1:19:45 > 1:19:50other part of Will's recommendation, at the minute NHS Digital do not
1:19:50 > 1:19:54know what is deployed in all the major trauma centres, the Ambulance
1:19:54 > 1:19:58Service and big foundation trusts. If we knew what was deployed and
1:19:58 > 1:20:04then we have a threat, we can make targeted analysis and we can make it
1:20:04 > 1:20:06at individual organisation level. That sex with some of the guidance
1:20:06 > 1:20:11and it makes it much more specific. I know in terms of the
1:20:11 > 1:20:13recommendations, I know it talks about switching people of the
1:20:13 > 1:20:25system, but a crucial thing is about understanding what is deployed and
1:20:25 > 1:20:36what the threat and ounces. That is certainly a big priority for me.Can
1:20:36 > 1:20:40you give an idea of where we would expect to be in six months from now
1:20:40 > 1:20:47and how we would complete all 22?We are already undertaking a great deal
1:20:47 > 1:20:52of work around cyber protection, remediation etc as we speak. All of
1:20:52 > 1:20:55these actions will start immediately. Some of them have a
1:20:55 > 1:21:01longer lead time and again, we need to have a detailed conversation with
1:21:01 > 1:21:05the data security leadership board as to what the appropriate plan and
1:21:05 > 1:21:11timescale for that looks like, so I would expect that over the next few
1:21:11 > 1:21:16weeks, months, we will be able to come back with a much clearer plan
1:21:16 > 1:21:23and timetable.We are coming towards the end. Can I have some quickfire
1:21:23 > 1:21:28questions? Principally to Sir Chris and Simon Stevens. Can you tell us
1:21:28 > 1:21:37where we have got with the care cert system. How many organisations are
1:21:37 > 1:21:41signed up for the care cert portal and how many organisations have
1:21:41 > 1:21:49registered technical compliance?So care cert, we have worked with the
1:21:49 > 1:21:53leaders both with NHS England and NHS Improvement and all the
1:21:53 > 1:21:57foundation trusts are signed up to it. There are some benefits to that.
1:21:57 > 1:22:04It is not a case of signing up and we can contact them, where it is
1:22:04 > 1:22:09dividing enhanced threat protection, we have done a customised agreement
1:22:09 > 1:22:15so that organisations can download patches. Round about a third of all
1:22:15 > 1:22:19trusts have downloaded patches from the service. But does not mean two
1:22:19 > 1:22:26thirds haven't. This is to support software which was not previously
1:22:26 > 1:22:33supported. Care cert is moving forward. There is a number of things
1:22:33 > 1:22:37we have put forward around vulnerability scanning. There are
1:22:37 > 1:22:42things we can do with the funds allocated. We need to make sure we
1:22:42 > 1:22:47prioritise things in terms of impact and what the systemic risk is in
1:22:47 > 1:22:52terms of value for money. In terms of signing up, I'm pleased to say
1:22:52 > 1:22:56that through NHS England and NHS England, there is 100% sign up now
1:22:56 > 1:23:07from the trusts. The high-risk are fully signed up.
1:23:07 > 1:23:12Are you sure in your own mind both your organisations have a hand on
1:23:12 > 1:23:18preparedness in the event of an attack? Or are there other
1:23:18 > 1:23:24organisations out there that are still unprepared?I think we have
1:23:24 > 1:23:28got much better visibility than we had in May about the situation. What
1:23:28 > 1:23:35we are focusing the 25 million second tranche of funding this year
1:23:35 > 1:23:40is for those organisations that have vulnerabilities around some of the
1:23:40 > 1:23:44high-level care issues that were identified and to address the media
1:23:44 > 1:23:50issues there. We have a good sense of where the next group of
1:23:50 > 1:23:54organisations are going to. We know that some organisations, but she is
1:23:54 > 1:24:00a good example, which is a huge organisation, they have a lot to do
1:24:00 > 1:24:04to address all of their cyber resilience issues and we are working
1:24:04 > 1:24:07hard with them in terms of working through their vulnerabilities,
1:24:07 > 1:24:12providing them with funding and support. I think we broadly know
1:24:12 > 1:24:16those organisations which are most worried about and we have a plan for
1:24:16 > 1:24:22them.Do you have a number in your head of the trusts that have a lot
1:24:22 > 1:24:27more work to do?I would not like to give a number out. I am happy to
1:24:27 > 1:24:36come back with a number.I appreciate it might be sensitive
1:24:36 > 1:24:39information, but what I am trying to get that is within the parameters
1:24:39 > 1:24:46you have set out, always it is the worst that have the most work to do
1:24:46 > 1:24:50and I want to know if you are on top of those that have a lot more work
1:24:50 > 1:24:58to do?We have a list and we have regular calls in an age with the
1:24:58 > 1:25:00improvement staff where we go through those organisations that we
1:25:00 > 1:25:06think our furthest away from having all of the technical controls in
1:25:06 > 1:25:13place that are required. In one sense, and this may come out a
1:25:13 > 1:25:16slightly odd, I am almost less worried about those organisations
1:25:16 > 1:25:20because they are the organisations that know themselves they have a
1:25:20 > 1:25:25distant to go. I think the worry and the cultural leadership challenge is
1:25:25 > 1:25:30for those organisations that were not affected during the WannaCry
1:25:30 > 1:25:36crisis that may think that reflects the good work the organisation that
1:25:36 > 1:25:39has done, those are the organisations we need to be
1:25:39 > 1:25:42targeting to make sure that they are really on top of it in the
1:25:42 > 1:25:48infrastructure?Is this CQC inspection the only way you will get
1:25:48 > 1:25:52an in-depth knowledge of where each trust is or are there other
1:25:52 > 1:25:57mechanisms that you can use to enquire into their preparedness?We
1:25:57 > 1:26:00do a full inspection on site, penetration testing, looking across
1:26:00 > 1:26:10the full estate so when they respond the information gets past two CQC.
1:26:10 > 1:26:14Before it was just between ourselves and the local organisations but as a
1:26:14 > 1:26:18result of WannaCry that information is being shared so CQC can use that
1:26:18 > 1:26:23as part of the unannounced inspections if they choose to do so,
1:26:23 > 1:26:28but through his area we can see the ones that are at the lower end as
1:26:28 > 1:26:35well as the ones at the top end. Clearly at high-level there are a
1:26:35 > 1:26:39lot of government organisations and key government organisations that
1:26:39 > 1:26:44are looking at the whole area of cyber security. Are you satisfied
1:26:44 > 1:26:47that your contacts with all those government agencies are sufficient
1:26:47 > 1:26:53to enable your department because this is an ongoing science? You can
1:26:53 > 1:26:58never rest from it. There are new methods of penetrating IT systems
1:26:58 > 1:27:03coming along all the time. Are you really sure all government agencies
1:27:03 > 1:27:07are coordinating as they should?I can never promise they are
1:27:07 > 1:27:17coordinating perfectly. NHS Digital have very close working
1:27:17 > 1:27:22relationships with us and during the cyber attacks and we work closely
1:27:22 > 1:27:28with them afterwards as well. That is a new piece of the landscape and
1:27:28 > 1:27:38it makes it considerably simpler for us that there is a single centre for
1:27:38 > 1:27:44all government needs on these issues and which we can work with.There is
1:27:44 > 1:27:49only ourselves and the MoD along with the National Cyber Security
1:27:49 > 1:27:55Centre, so other departments rely on information being fed out. Because
1:27:55 > 1:28:03we are monitoring the National spine, the mail system, etc, we
1:28:03 > 1:28:06share information with the National Cyber Security Centre so there are
1:28:06 > 1:28:12alerts that come out from them that originate from what we have seen on
1:28:12 > 1:28:15our networks. That partnership has grown quite significantly in the
1:28:15 > 1:28:28last 12 months or so.Can I go back to your point on the EPRR? What time
1:28:28 > 1:28:32did you know that this attack was taking place?It was about one
1:28:32 > 1:28:38o'clock on the Friday that there were the first reports. A national
1:28:38 > 1:28:44incident was called at four o'clock. Is that right?If that is the
1:28:44 > 1:28:48timescale that sounds like a reasonable timescale to be making a
1:28:48 > 1:28:55decision on a very important national issue?As I say, the NHS is
1:28:55 > 1:29:01very good at emergencies and it does kick in very quickly. We had a
1:29:01 > 1:29:04conversation with the National Cyber Security Centre straightaway when
1:29:04 > 1:29:10the first reports came in, which was also helpful to that
1:29:10 > 1:29:15decision-making. But the decision-making by NHS England was
1:29:15 > 1:29:22very swift indeed.The first trusts were reporting to NHS Digital by
1:29:22 > 1:29:27lunchtime one o'clock and by four o'clock it had become a larger group
1:29:27 > 1:29:35of trusts so we declared a major incident. At five to five NHS
1:29:35 > 1:29:42Digital released to the NHS bulletin. At five o'clock we braved
1:29:42 > 1:29:49the Secretary of State and by 6:45pm we had initiated the EPRR plans for
1:29:49 > 1:29:54coordinating across the whole of the NHS.Thank you for that helpful
1:29:54 > 1:29:58answer. Can I challenge one of your earlier answers in which you said it
1:29:58 > 1:30:05worked well. In communications there seems to have been a bit of tension
1:30:05 > 1:30:09between what you should have been communicating and in some respects
1:30:09 > 1:30:13people wanted more information to know what was happening in their
1:30:13 > 1:30:17NHS. In another respect some of the trusts were wanting to keep it quiet
1:30:17 > 1:30:22because they did not want their particular weaknesses to be exposed
1:30:22 > 1:30:30I presume. Have you undertaken a lessons learned as it were for the
1:30:30 > 1:30:36whole EPRR process? Have you in particular looked at how you would
1:30:36 > 1:30:41communicate these types of incident in the future?Yes, we review the
1:30:41 > 1:30:48process all the time and every time there is an incident that uses the
1:30:48 > 1:30:53machinery there are lessons learned. We updated in the light of
1:30:53 > 1:31:01experience. Just to clarify, what I mean is the EPRR system worked as it
1:31:01 > 1:31:08was designed to work. In that sense that is what we all want. That is
1:31:08 > 1:31:14not to say that it was perfect for these incidents. We have to involve
1:31:14 > 1:31:18the system in the future. That is to be clear about what my previous
1:31:18 > 1:31:22answer meant, it worked as it was supposed to work, which is a good
1:31:22 > 1:31:26starting place, that is not to say it was completely perfect for this
1:31:26 > 1:31:36incident.I was going to add was that the evolution of it over the 72
1:31:36 > 1:31:40hours from Friday night through to Monday morning was such that the
1:31:40 > 1:31:47first 24 hours or so were about establishing what was happening
1:31:47 > 1:31:50technically since the principal arrangements that had to be put in
1:31:50 > 1:31:57place were linked to major trauma and emergency care system there was
1:31:57 > 1:31:59a public, behavioural response needed on the Saturday. Parallel
1:31:59 > 1:32:06with that the government responded with Cobra arrangements and a
1:32:06 > 1:32:10perfectly understandably decided to communicate as a security related
1:32:10 > 1:32:17incident, and the initial evidence was that is what it was. By the time
1:32:17 > 1:32:21we got to Sunday we needed to give public advice about whether or not
1:32:21 > 1:32:25to go to your GP appointment or hospital outpatients on the Monday
1:32:25 > 1:32:28and at that point the NHS communications publicly kicked in as
1:32:28 > 1:32:34they normally would.So are you satisfied that the communications
1:32:34 > 1:32:40were a seamless as they should have been?We talked about the mechanisms
1:32:40 > 1:32:47with individual trusts and GPs, and we accept the early points, but in
1:32:47 > 1:32:51terms of the public communication in terms of what the public were being
1:32:51 > 1:32:55asked to do, yes, by the time we got to Sunday people were getting the
1:32:55 > 1:33:08right advice for Monday.Can I just ask you one of the technical issues
1:33:08 > 1:33:15I am advised on about the particular WannaCry by Iris was the ability to
1:33:15 > 1:33:23be able to communicate with each organisation's server. -- virus. If
1:33:23 > 1:33:31you turn to the report on page 20 it says it limited central information
1:33:31 > 1:33:35on trusts, IT and digital assets such as IP addresses. It then goes
1:33:35 > 1:33:40on to say at the start of its investigation the National Crime
1:33:40 > 1:33:45Agency had to gather evidence from all sides including information that
1:33:45 > 1:33:51affected IP addresses and network traffic. If the kill switch had not
1:33:51 > 1:33:57worked, this sort of Cora, central information should have been
1:33:57 > 1:34:00something that was pretty readily available to either NHS England or
1:34:00 > 1:34:08the Department. I am wondering if you have rectified that.At the
1:34:08 > 1:34:15moment we do not collect that information nationally and that is
1:34:15 > 1:34:19part of the recommendation 15. We need to understand what IP addresses
1:34:19 > 1:34:25local organisations work with and that type of thing. Before we had
1:34:25 > 1:34:29WannaCry, going back eight months, it was a simple question of who do
1:34:29 > 1:34:37you write to in the NHS? When EPRR starts to kick in in terms of tried
1:34:37 > 1:34:41and tested mechanisms we did not have a list of all the security
1:34:41 > 1:34:46leads, all of the staff we needed to put this out across health and
1:34:46 > 1:34:50social care. We have collected that information and we are continuing to
1:34:50 > 1:34:57a ball the way we do communicate. If we were able to get what is deployed
1:34:57 > 1:35:00locally, then we could say we now know where that vulnerability lies
1:35:00 > 1:35:06and we give certain information to certain areas. We covered
1:35:06 > 1:35:16previously, but it was a well-made point in the report.
1:35:16 > 1:35:22I was going to come onto timescales. Perhaps Sir Chris or Simon Stevens
1:35:22 > 1:35:29could answer, when would you expect to be in a position to tell us when
1:35:29 > 1:35:35all the 22 recommendations in Mr Smart's report are going to be
1:35:35 > 1:35:38implemented and under what timescale? The purpose of that
1:35:38 > 1:35:43question is to work out when this committee might revisit the subject.
1:35:43 > 1:35:50We will say six months.Six months in terms of having a firm plan.
1:35:50 > 1:35:55Recommendation one talks about cyber essentials being in place around the
1:35:55 > 1:36:00NHS by June 20 21. That would be the long stock in terms of when the plan
1:36:00 > 1:36:04as a whole would finish but certainly we can give you a plan...
1:36:04 > 1:36:10I think what I would like to ask is if you would give the National Audit
1:36:10 > 1:36:15Office a six-month update about where you are with the report, then
1:36:15 > 1:36:21we will know when we ought to revisit this subject?I think that
1:36:21 > 1:36:26would be completely appropriate. The point we have made throughout this
1:36:26 > 1:36:33hearing, although we will put in dates on the actions, and it is very
1:36:33 > 1:36:37important to monitor them, this is of course a job which is never done.
1:36:37 > 1:36:43It is not as if we are going to reach 2021 and declare victory on
1:36:43 > 1:36:48cyber security, and nor will things that Will be published be the last
1:36:48 > 1:36:56word on what the Government needs to do, and I think a six-month report
1:36:56 > 1:37:02to the National Audit Office would be entirely appropriate.Sir Chris,
1:37:02 > 1:37:06I cannot find it in the time available, or one of Mr Smart's key
1:37:06 > 1:37:14recommendations on people, and this is very much involving -- an
1:37:14 > 1:37:19evolving science, so you will need good young trained people. Are you
1:37:19 > 1:37:26satisfied that your national cyber centre, the NHS cyber centre is
1:37:26 > 1:37:30producing people with the right skills that you require to deal with
1:37:30 > 1:37:37this whole problem?It is difficult for me to comment on what the
1:37:37 > 1:37:41National Cyber Security Centre is doing. In NHS digital you are
1:37:41 > 1:37:46building your capacity that entire time.We are. Simon mentioned at the
1:37:46 > 1:37:52start, my staff came in on Friday morning and went home on Monday,
1:37:52 > 1:37:56unfortunately the same clothes, pants, socks etc, so it was not a
1:37:56 > 1:38:02good place to be on that weekend, but where it has ended up is we have
1:38:02 > 1:38:07around 18 to 20 deeply skilled people. We are doing a graduate
1:38:07 > 1:38:12scheme so we are working with universities to try and grow our own
1:38:12 > 1:38:19but the realism is this is a sought-after skill. There are lots
1:38:19 > 1:38:21of organisations in the private sector which can employ people and
1:38:21 > 1:38:25there are three jobs for every skilled cyber expert. We rely on the
1:38:25 > 1:38:29fact that people are committed in terms of the way they want to give
1:38:29 > 1:38:33something back to the public sector. We have grown a team who have
1:38:33 > 1:38:38realised what a difference they have made in terms of the impact on
1:38:38 > 1:38:41patients and care. We are trying to give them training programmes, we
1:38:41 > 1:38:44are trying to make it so that they have a career ladder and they can
1:38:44 > 1:38:49work through. But we will have to continually, across our
1:38:49 > 1:38:53organisations, not just in mind that the local organisations etc, we have
1:38:53 > 1:38:58to be able to attract and retain top talent on this. Where we cannot get
1:38:58 > 1:39:03it in terms of permanent staff, one of the things we have done in terms
1:39:03 > 1:39:06of WannaCry is we have worked with Crown services and the National
1:39:06 > 1:39:10Cyber Security Centre, to save you have not got the staff at the
1:39:10 > 1:39:15capability, how can you draw on suppliers? When you are in the heat
1:39:15 > 1:39:20of an incident like this, if you bring the wrong supplier in you can
1:39:20 > 1:39:24do more harm than good. That is something we have put on our website
1:39:24 > 1:39:29to support at local organisations. Nationally this is an area where the
1:39:29 > 1:39:35country is short. When I was at the Department for Education, it is one
1:39:35 > 1:39:38of the reasons why we added coding because we do need to grow more
1:39:38 > 1:39:44people nationally and the NHS competes in the market for those
1:39:44 > 1:39:54valuable people with everybody else. Can I thank you.Just an
1:39:54 > 1:39:58opportunistic comment, which is not directly related, it is not a cyber
1:39:58 > 1:40:02attack but it was a Twitter attack on the NHS today, President Trump
1:40:02 > 1:40:06has been tweeting about the National Health Service today. Unfortunately,
1:40:06 > 1:40:12I think we suggested that we got the wrong end of the stick, and in fact
1:40:12 > 1:40:16people in this country do not want to ditch our NHS, notwithstanding
1:40:16 > 1:40:19everything we have been talking about today, they want to keep it
1:40:19 > 1:40:26and strengthen it. So an invitation, if the president were to be visiting
1:40:26 > 1:40:33later this year, would be to visit doctors, hospitals, scientists, to
1:40:33 > 1:40:37hear about cataract services, hip replacements, modern scanners, the
1:40:37 > 1:40:41world first liver, heart and lung transplant, the genomics revolution
1:40:41 > 1:40:47all underway and go away that understanding the health care for
1:40:47 > 1:40:51everybody, delivered at half the cost of the US health care system,
1:40:51 > 1:40:54is something that people in this country are deeply and rightly
1:40:54 > 1:41:00committed to.I am very grateful to that, Mr Stevens. I think we often
1:41:00 > 1:41:02underestimate our excellent health service and I think you and others
1:41:02 > 1:41:06get their fair share of criticism but you do work very hard and I am
1:41:06 > 1:41:10very grateful to all our witnesses for coming this afternoon, said
1:41:10 > 1:41:14Chris and your team, Simon Stevens and your team, and thank you for all
1:41:14 > 1:41:18the work you did during the WannaCry attack. It must have been a worrying
1:41:18 > 1:41:23time for a few days. Thank you very much for that and for answering our
1:41:23 > 1:41:27questions this afternoon.Thank you.