Browse content similar to Public Accounts Committee. Check below for episodes and series from the same categories and more!
Line | From | To | |
---|---|---|---|
You are considering the report on
the cyber attack on the NHS. The | 0:00:28 | 0:00:35 | |
developments of information
technology including cyber are | 0:00:35 | 0:00:38 | |
increasingly important in the way
the NHS functions and the country in | 0:00:38 | 0:00:42 | |
general. Developments present
challenges, risks as well as | 0:00:42 | 0:00:48 | |
benefits and opportunities. This was
demonstrated by the cyber attack | 0:00:48 | 0:00:52 | |
last May which caused disruption
around the world including to our | 0:00:52 | 0:00:56 | |
own NHS. The attack affected one
third of trusts and caused 19,000 | 0:00:56 | 0:01:03 | |
hospital appointments to be
cancelled. And affected 603 primary | 0:01:03 | 0:01:08 | |
care organisations and 595 GP
practices. The newly named | 0:01:08 | 0:01:13 | |
Department of Health and social care
and the NHS were aware of the threat | 0:01:13 | 0:01:19 | |
of a cyber attack, yet were unable
to prevent the widespread disruption | 0:01:19 | 0:01:22 | |
caused. The NHS was able to manage
the attack using existing emergency | 0:01:22 | 0:01:29 | |
response arrangements and
requirements but we were fortunate | 0:01:29 | 0:01:34 | |
the attack was not more damaging. We
want to get answers from NHS | 0:01:34 | 0:01:40 | |
England, NHS digital and NHS
improvement on what they learned | 0:01:40 | 0:01:43 | |
from the attack and what actions
they will take to make sure they can | 0:01:43 | 0:01:48 | |
better prevent and recover from any
future cyber attack. Late last week | 0:01:48 | 0:01:52 | |
NHS England and NHS improvement
published its lessons learned review | 0:01:52 | 0:01:58 | |
on the attack. It may have been a
coincidence the publication was | 0:01:58 | 0:02:05 | |
ahead of today's hearing, maybe not.
It builds on the reporting with its | 0:02:05 | 0:02:12 | |
22 recommendations. From it, we need
to understand more about this | 0:02:12 | 0:02:18 | |
document and its context,
specifically how priorities are | 0:02:18 | 0:02:19 | |
being set and where the resources
are coming from and the timing of | 0:02:19 | 0:02:24 | |
his dimensions. It is unclear how
the numerous recommendations and | 0:02:24 | 0:02:32 | |
implementation will work from the
report. We are pleased to welcome | 0:02:32 | 0:02:38 | |
our illustrious team of witnesses.
Robshaw, deputy chief executive of | 0:02:38 | 0:02:43 | |
NHS Digital. The permanent Secretary
of the Department of Health. You are | 0:02:43 | 0:02:50 | |
a frequent flyer entry to this
committee. Almost as frequent but | 0:02:50 | 0:02:55 | |
not quite, we have next to him Simon
Stephens, chief executive of NHS | 0:02:55 | 0:03:00 | |
England. Then, the chief information
officer of NHS England and | 0:03:00 | 0:03:07 | |
Improvement. And Jim Mackay, former
chief executive of NHS Improvement. | 0:03:07 | 0:03:14 | |
Welcome, gentlemen. I should perhaps
start with eight general question to | 0:03:14 | 0:03:18 | |
Sir Chris. -- as general question.
Can you ensure that no person was | 0:03:18 | 0:03:28 | |
found and no future risk to the NHS
information? -- no person was | 0:03:28 | 0:03:33 | |
harmed? Both in the report. I know
one paid the ransom and we do not | 0:03:33 | 0:03:44 | |
have any direct cases of patient
harm resulting from this attack that | 0:03:44 | 0:03:49 | |
as you said was considerably
disruptive, affecting patients. Can | 0:03:49 | 0:04:00 | |
we guarantee future security? No, we
can't. Just like every other | 0:04:00 | 0:04:07 | |
organisation cyber attacks and
cybercrime are facts of life. If you | 0:04:07 | 0:04:16 | |
believe you are completely safe from
cybercrime, that would be a | 0:04:16 | 0:04:22 | |
extremely bad sign indeed. I cannot
get you that reassurance. While I | 0:04:22 | 0:04:26 | |
have before, I will pick up your
point that it is not a coincidence | 0:04:26 | 0:04:33 | |
we published our response in advance
of this hearing because this was | 0:04:33 | 0:04:36 | |
work already in train. We had
commissioned this after WannaCry and | 0:04:36 | 0:04:42 | |
of course we wanted to be able to be
frank with the committee about what | 0:04:42 | 0:04:47 | |
we were actually doing in this
point. We wanted to set that up | 0:04:47 | 0:04:54 | |
rather than sitting yet knowing
there was more to come. It is | 0:04:54 | 0:04:58 | |
nothing to do with this hearing that
the report excess, but we wanted | 0:04:58 | 0:05:03 | |
this committee to be informed. | 0:05:03 | 0:05:05 | |
We will don't ever more technical
witnesses and ask how we can be sure | 0:05:10 | 0:05:13 | |
that there is no threat to the NHS
future, that there information from | 0:05:13 | 0:05:20 | |
this TO attack. How can you be sure
the virus has been eliminated from | 0:05:20 | 0:05:26 | |
NHS systems? I don't think we can
guarantee the thread has gone away. | 0:05:26 | 0:05:30 | |
The threat continues. Over the
course of the week of the major | 0:05:30 | 0:05:37 | |
incident, local organisations put in
a huge amount of work, local staff | 0:05:37 | 0:05:42 | |
up and down the country patched
systems of put in place, change the | 0:05:42 | 0:05:47 | |
firewalls to improve the resilience
of the organisation. A few weeks | 0:05:47 | 0:05:52 | |
after WannaCry, there was another
attack using the same set of | 0:05:52 | 0:05:57 | |
vulnerabilities. That attack impact
is a large number of multinational | 0:05:57 | 0:06:02 | |
organisations, some of whom had
their whole IT infrastructure wiped | 0:06:02 | 0:06:05 | |
out and had to be built from the
ground up again. I think the fact | 0:06:05 | 0:06:11 | |
that in that case, using the same
vulnerabilities that the NHS wasn't | 0:06:11 | 0:06:17 | |
impacted give some comfort, but it
is important that local | 0:06:17 | 0:06:20 | |
organisations, national bodies, that
we are continually vigilant for the | 0:06:20 | 0:06:27 | |
threats and take appropriate action
when necessary. As well as that, we | 0:06:27 | 0:06:33 | |
have also had another exact
replication of WannaCry with the | 0:06:33 | 0:06:42 | |
virus called Bad Rabbit. We have had
two attacks using the same exploits | 0:06:42 | 0:06:48 | |
as WannaCry and there was no health
organisations impacted by that as a | 0:06:48 | 0:06:52 | |
result of the remediation taken as
part of the mitigation of the | 0:06:52 | 0:06:57 | |
WannaCry attack. The department and
the Cabinet Office wrote to the | 0:06:57 | 0:07:05 | |
trust in 2014 saying it was
essential they had robust plans in | 0:07:05 | 0:07:09 | |
place to mitigate from old software
such as Windows XP. So you have to | 0:07:09 | 0:07:15 | |
thought about this a long time ago
but it seems that that information | 0:07:15 | 0:07:22 | |
somehow hadn't really transferred
through into action by individual | 0:07:22 | 0:07:25 | |
trusts by the time of this WannaCry
attack on the 12th of June 2000 and | 0:07:25 | 0:07:32 | |
17. It was a mixed picture. As you
say, some action was taken in 2014 | 0:07:32 | 0:07:39 | |
and there was a very big turning
point in 2015, the National Guardian | 0:07:39 | 0:07:46 | |
's report and the CKC report. A big
programme of work was put in place | 0:07:46 | 0:07:54 | |
around cybercrime nationally for
pretty much the first time in the | 0:07:54 | 0:07:59 | |
NHS. Between that date and the
actual WannaCry attack, a lot of | 0:07:59 | 0:08:07 | |
progress had been made. So if you
look at XP, which are raised in | 0:08:07 | 0:08:12 | |
2015, I think that was about 18% of
NHS systems, it was down to 4.7% at | 0:08:12 | 0:08:20 | |
the time of the WannaCry present and
is now down to 1.8%. However, a lot | 0:08:20 | 0:08:27 | |
of work had been done, it was at the
time of the attack work in progress, | 0:08:27 | 0:08:32 | |
so we have started a programme but
had not finished it. We were in a | 0:08:32 | 0:08:38 | |
better position to deal with this
attack at the point that it happened | 0:08:38 | 0:08:41 | |
but by no means perfect and we'll
come onto some of the lessons | 0:08:41 | 0:08:48 | |
learned. We do have a lot to learn
from the attack about how we deal | 0:08:48 | 0:08:53 | |
with these things in future. But we
were better prepared than we had | 0:08:53 | 0:08:56 | |
been two years previously. If you
read the summary of the report, it | 0:08:56 | 0:09:07 | |
says, prior to the attack, NHS
digital conducted is an on-site | 0:09:07 | 0:09:12 | |
security assessment for 88 of the
trust and on his past. There must | 0:09:12 | 0:09:17 | |
have been on alert warning lingering
on your department. I was going to | 0:09:17 | 0:09:23 | |
comment on this but the point of
those assessments is to identify | 0:09:23 | 0:09:26 | |
weaknesses so they can be improved.
It is quite a high bar and every | 0:09:26 | 0:09:33 | |
trust has things it can improve
around, even the ones that do it | 0:09:33 | 0:09:38 | |
well. That is the point of the
on-site assessment. Of course we | 0:09:38 | 0:09:43 | |
want to get to a position where we
no longer are finding things in | 0:09:43 | 0:09:46 | |
trusts that need improving but we
are not there yet. But with great | 0:09:46 | 0:09:52 | |
respect, that's quite a glossy
answer. None of the trusts had | 0:09:52 | 0:09:56 | |
passed this assessment, none of
them. If the majority had I think | 0:09:56 | 0:10:00 | |
your currency would have held water
but none of them had. Surely this | 0:10:00 | 0:10:03 | |
must have been something high up on
your interests. This had been | 0:10:03 | 0:10:13 | |
identified as a big risk and as I
say, a loss of action was in place | 0:10:13 | 0:10:18 | |
partly for the reason that you say.
As I say, we had not finished the | 0:10:18 | 0:10:23 | |
programme. They were still
continuing vulnerabilities and | 0:10:23 | 0:10:29 | |
WannaCry, our assessment of WannaCry
and what happened in the incident | 0:10:29 | 0:10:33 | |
demonstrated to us that we needed to
go much further. Your basic point I | 0:10:33 | 0:10:38 | |
agree with you, that's clearly there
were challenges in the system, some | 0:10:38 | 0:10:43 | |
of them known about, which we had
existing programmes to deal with, | 0:10:43 | 0:10:47 | |
some of them we learned from the
WannaCry at and we need to take | 0:10:47 | 0:10:51 | |
further action on. We have now
completed 200 on-site assessments, | 0:10:51 | 0:10:58 | |
we had done a date before WannaCry.
All trusts still failed and there | 0:10:58 | 0:11:02 | |
are reasons for that. This isn't a
case that all trusts have done | 0:11:02 | 0:11:08 | |
nothing around cyber security. The
amount of effort it takes in the NHS | 0:11:08 | 0:11:11 | |
to reach the standard we assess
against is quite a high bar, so some | 0:11:11 | 0:11:21 | |
of them failed purely on patching,
which is what the vulnerability was | 0:11:21 | 0:11:26 | |
around WannaCry. We work now with
organisations, I always think it is | 0:11:26 | 0:11:33 | |
better to have information about
where your vulnerabilities are three | 0:11:33 | 0:11:36 | |
can do something about it rather
than hope will be OK when you do get | 0:11:36 | 0:11:39 | |
an attack. The vulnerability reports
go back to the trusts only trust | 0:11:39 | 0:11:43 | |
board is to able to work out how
they can then do mitigation. Some | 0:11:43 | 0:11:47 | |
need to do quite a considerable
amount of work but a number of ready | 0:11:47 | 0:11:51 | |
on the journey that will take them
towards that requirement. One of the | 0:11:51 | 0:11:57 | |
things we may want to consider that
it's something that now we have the | 0:11:57 | 0:12:00 | |
additional funding available, is
whether we should go back and we | 0:12:00 | 0:12:03 | |
inspect those where there is the
highest risk in order to provide | 0:12:03 | 0:12:06 | |
ourselves with the assurance they
are going in the right direction. I | 0:12:06 | 0:12:11 | |
made a mistake, it was the 12th of
May, not the 12th of June, the | 0:12:11 | 0:12:14 | |
attack. We are eight months on from
that attack and the paragraph, it | 0:12:14 | 0:12:21 | |
goes on to say that NHS digital
cannot mandate a local body to take | 0:12:21 | 0:12:25 | |
remedial action even if it has
concerns of the vulnerability of an | 0:12:25 | 0:12:29 | |
organisation. Do you think that your
department has sufficient powers to | 0:12:29 | 0:12:34 | |
be able to shake up these trusts and
be able to take the necessary | 0:12:34 | 0:12:38 | |
action? Yes, we do. They don't fall
to NHS Digital, they are mainly in | 0:12:38 | 0:12:46 | |
the reinforcement powers of CQC.
Some of the things we had set out | 0:12:46 | 0:12:57 | |
before WannaCry attack but are now
in place by the data and security | 0:12:57 | 0:13:02 | |
standards set in the standard
contract for the NHS trusts and part | 0:13:02 | 0:13:08 | |
of their contracts for doing
business. This has gone into the CQC | 0:13:08 | 0:13:13 | |
inspection, so CQC will inspect
against it, and the support | 0:13:13 | 0:13:20 | |
mechanism would be the same as we
use for any other problems we have | 0:13:20 | 0:13:25 | |
in the trusts. It would be for CQC
to report and the would-be NHSI to | 0:13:25 | 0:13:35 | |
take further action if need be. It
goes into the general system. Which | 0:13:35 | 0:13:39 | |
is not to say that there were things
that we needed to learn from | 0:13:39 | 0:13:46 | |
WannaCry that we didn't. We are
coming on to that. It is worth | 0:13:46 | 0:13:55 | |
adding that as part of the well led
inspections, CQC are also doing | 0:13:55 | 0:14:00 | |
unannounced inspections where there
is a concern around cyber security. | 0:14:00 | 0:14:04 | |
For a three-month period up to the
end of March, we are doing a small | 0:14:04 | 0:14:10 | |
number of CQC inspections. We will
do unannounced inspections only | 0:14:10 | 0:14:18 | |
trust and will then do a lessons
learned in terms of, is that the | 0:14:18 | 0:14:22 | |
right thing to do? Not at burden
onto an existing framework to get | 0:14:22 | 0:14:29 | |
the value out of inspections. Each
answer is provoking more questions | 0:14:29 | 0:14:34 | |
but I want to bring my colleagues
in. I want to ask a question about | 0:14:34 | 0:14:40 | |
the very serious evidence, I don't
know whether you have had a chance | 0:14:40 | 0:14:44 | |
to see, from a former director of
the Health and Safety Executive. He | 0:14:44 | 0:14:50 | |
recently did a cyber security review
for the MoD so presumably he is | 0:14:50 | 0:14:58 | |
quite well qualified in these
matters. He makes the point that as | 0:14:58 | 0:15:02 | |
the WannaCry attack was able to
encrypt NHS information, if it was | 0:15:02 | 0:15:08 | |
able to encrypt NHS information it
was presumably able to alter NHS | 0:15:08 | 0:15:12 | |
information and that could have felt
really serious implications such as | 0:15:12 | 0:15:16 | |
changing blood groups and that sort
of thing. Do you think that our | 0:15:16 | 0:15:25 | |
systems are no suspicion the robust
to be able to...? Is that evidence | 0:15:25 | 0:15:33 | |
true and if it is, would we be in a
position to refute further attack | 0:15:33 | 0:15:47 | |
was able to do this? I'm afraid I
don't have the evidence I can't | 0:15:47 | 0:15:52 | |
comment on that. It's may well be
true that data could be changed. It | 0:15:52 | 0:15:58 | |
is important to say that every NHS
organisation thoroughly backs up | 0:15:58 | 0:16:03 | |
this data so true copies are
available, will be held off-site, | 0:16:03 | 0:16:10 | |
and after WannaCry, any systems
would have been restored from | 0:16:10 | 0:16:12 | |
back-ups because effectively the
date doubles loss. So while there | 0:16:12 | 0:16:17 | |
are technical risks, in this
instance the data was restored from | 0:16:17 | 0:16:22 | |
copies which have been secured. At a
minimum, the CQC random inspections | 0:16:22 | 0:16:29 | |
should make sure that all
organisations are properly backing | 0:16:29 | 0:16:32 | |
up their information. Thank you.
Obviously we were quite lucky that | 0:16:32 | 0:16:39 | |
it was a relatively unsophisticated
attack, but perhaps I could ask, | 0:16:39 | 0:16:44 | |
given that we had reports in July
2016 from the National data Guardian | 0:16:44 | 0:16:49 | |
and the Care Quality Commission
regarding cyber security and | 0:16:49 | 0:16:54 | |
recently as Mark and April before
the attack, the NHS digital, how | 0:16:54 | 0:17:05 | |
come we were so unprepared for it? I
refer you to my answer earlier. I | 0:17:05 | 0:17:12 | |
don't think we were completely
prepared and we had lots to learn | 0:17:12 | 0:17:17 | |
from the WannaCry attack, but nor
are we completely unprepared. | 0:17:17 | 0:17:22 | |
Between the reports that you
mentioned and the date of the | 0:17:22 | 0:17:28 | |
WannaCry attack, a lot had happened
to implement those reports. As both | 0:17:28 | 0:17:39 | |
the reports have picked up, there is
a lot more that can be done, but we | 0:17:39 | 0:17:45 | |
had actually implemented the vast
majority of what the National data | 0:17:45 | 0:17:50 | |
Guardian and CQC were recommending.
We had not finished implementing it | 0:17:50 | 0:17:58 | |
but I'm not sure I can add very
much. This is the first time we knew | 0:17:58 | 0:18:09 | |
there was a vulnerability in the
Microsoft operating system, but it | 0:18:09 | 0:18:12 | |
had never been exploited. We had put
Biden said as patching had taken | 0:18:12 | 0:18:17 | |
place in over two thirds of the
trusts, they were all secure her his | 0:18:17 | 0:18:21 | |
a fire was to protect against
vulnerabilities, we will never ever | 0:18:21 | 0:18:28 | |
mitigates against all cyber attack.
We have to be honest about that. | 0:18:28 | 0:18:32 | |
Anyone that says the mitigates
against cyber attacks, it would | 0:18:32 | 0:18:36 | |
worry me that they are looking after
their IT. We have to put protection | 0:18:36 | 0:18:40 | |
at the front end, patched the trust
we were able to, as quiet happened, | 0:18:40 | 0:18:48 | |
but I cannot understate the
complexity of the NHS estate on the | 0:18:48 | 0:18:54 | |
complexity of trying to patch
different parts of it because you | 0:18:54 | 0:18:57 | |
can't patch one part that will have
an impact on something else. The | 0:18:57 | 0:19:00 | |
main drive has to be on patient care
and make sure we don't impact any of | 0:19:00 | 0:19:03 | |
those systems. We have to look at
protection but also our ability to | 0:19:03 | 0:19:09 | |
immediate. We have to accept that
things will get through to cause a | 0:19:09 | 0:19:14 | |
cyber attacks, but how we then
respond to those becomes crucial. I | 0:19:14 | 0:19:20 | |
understand what you're saying
regarding the complexities of | 0:19:20 | 0:19:23 | |
patching and clearly is not just the
image is itself but also some of | 0:19:23 | 0:19:27 | |
these suppliers. How can you better
get them to update their products | 0:19:27 | 0:19:34 | |
quickly? Because clearly their
machines can be attacked as well as | 0:19:34 | 0:19:38 | |
the computer software. | 0:19:38 | 0:19:48 | |
Could you address the Windows XP
point and the equipment? This was | 0:19:48 | 0:19:55 | |
not a tax on Windows XP. Legacy is
the challenge of any organisation | 0:19:55 | 0:20:00 | |
and the NHS is not unique in having
legacy software prices across the | 0:20:00 | 0:20:06 | |
estate. 95% of devices in the NHS at
the time of WannaCry were running | 0:20:06 | 0:20:13 | |
Windows seven which is capable of
being patched. Legacy is important, | 0:20:13 | 0:20:19 | |
but it is not the only issue. The
reason that patching does not | 0:20:19 | 0:20:24 | |
happen, and to 18 months ago I was
CEO in a hospital and we had a wide | 0:20:24 | 0:20:33 | |
range of services, both
administrative and clinical and | 0:20:33 | 0:20:37 | |
clearly updating software in
clinical areas it is important to | 0:20:37 | 0:20:41 | |
make sure there are no unexpected
consequences to the software or | 0:20:41 | 0:20:45 | |
systems that are running. There is a
challenge of trying to balance the | 0:20:45 | 0:20:50 | |
technical risk of knowing there is a
technical upgrade that we need to do | 0:20:50 | 0:20:54 | |
against the clinical risks of
patients as a result of potentially | 0:20:54 | 0:20:58 | |
introducing something that may have
an effect on a system or a device | 0:20:58 | 0:21:04 | |
that is running. Continually
rebalanced that. Within the royal | 0:21:04 | 0:21:09 | |
free where I came from we had over
10,000 PCs and devices in the | 0:21:09 | 0:21:14 | |
organisation, said these are
large-scale organisations and it is | 0:21:14 | 0:21:17 | |
not a trivial case of saying we can
update all of these overnight. There | 0:21:17 | 0:21:22 | |
is complexity in that area. To the
point about medical devices, | 0:21:22 | 0:21:27 | |
absolutely we face challenges and
during the WannaCry tat we had | 0:21:27 | 0:21:33 | |
diagnostic devices embedded that had
not been patched. There are two | 0:21:33 | 0:21:39 | |
things to say. One is we absolutely
need to work more closely with | 0:21:39 | 0:21:46 | |
software and device providers to
make sure they are in a position | 0:21:46 | 0:21:50 | |
that when patches come up that they
are able to update their equipment, | 0:21:50 | 0:21:55 | |
which is very sensitive medical
equipment. We are talking about MRI | 0:21:55 | 0:22:00 | |
scanners for example who are
sensitive to changes. I would also | 0:22:00 | 0:22:06 | |
say from an IT management
perspective that there are ways of | 0:22:06 | 0:22:10 | |
designing the infrastructure within
an organisation to protect yourself, | 0:22:10 | 0:22:15 | |
so in some organisations networks
were effectively completely | 0:22:15 | 0:22:24 | |
connected to everything else as
opposed to separating some equipment | 0:22:24 | 0:22:27 | |
of the network. There are ways of
designing an environment to mitigate | 0:22:27 | 0:22:31 | |
some of those risks. But it is a
hugely complex area and I think we | 0:22:31 | 0:22:37 | |
saw with WannaCry some of the
challenges of managing these issues | 0:22:37 | 0:22:42 | |
in these kinds of organisations. In
terms of windows XP it is a good | 0:22:42 | 0:22:50 | |
point. The operating system,
especially written software, it | 0:22:50 | 0:22:56 | |
could take years for that to be
upgraded. We put some guidance out | 0:22:56 | 0:23:01 | |
for how we segregate those because
the key thing is taking it off the | 0:23:01 | 0:23:05 | |
network and making sure it is
isolated to if it is on something | 0:23:05 | 0:23:09 | |
that has the potential to impact on
other systems. We put guidance out | 0:23:09 | 0:23:14 | |
how local organisations can help
mitigate that. In the | 0:23:14 | 0:23:18 | |
recommendations there are a number
of things we could check and make | 0:23:18 | 0:23:22 | |
sure medical devices are properly
segregated. Your point on the | 0:23:22 | 0:23:25 | |
suppliers is a good one. On the
actual weekend we were inundated | 0:23:25 | 0:23:31 | |
with suppliers saying, let us know
what you want in terms of support | 0:23:31 | 0:23:35 | |
and we will put boots on the ground
and there was no question of money | 0:23:35 | 0:23:39 | |
or anything like that. A number of
the suppliers help out in terms of | 0:23:39 | 0:23:44 | |
the remediation in some of the
organisations. We worked with the | 0:23:44 | 0:23:47 | |
National Cyber Security Centre
because once the attack became an | 0:23:47 | 0:23:51 | |
issue, antivirus providers had to
quickly up their systems to prevent | 0:23:51 | 0:23:59 | |
future attacks, which they did and
they completed by the end of the | 0:23:59 | 0:24:02 | |
weekend. Then you have got big
systems integrators like EPI systems | 0:24:02 | 0:24:08 | |
for major trusts. They cannot just a
patch in isolation in one system. | 0:24:08 | 0:24:15 | |
They do a patch across their entire
estate and some of those will take | 0:24:15 | 0:24:20 | |
time. It is incumbent on us to make
sure that if it is a high threat, we | 0:24:20 | 0:24:24 | |
proactively make sure that we do not
wait until they are patched, we make | 0:24:24 | 0:24:28 | |
sure they are carrying out the
patching and we know where our | 0:24:28 | 0:24:31 | |
vulnerabilities lie. Is there not a
simple procurement point here? I am | 0:24:31 | 0:24:40 | |
wondering if you are going to change
your procurement processes so that | 0:24:40 | 0:24:45 | |
all new equipment that is procured
by your department should be | 0:24:45 | 0:24:49 | |
procured on the basis that software
will be supported throughout the | 0:24:49 | 0:24:52 | |
life of that equipment? I will bring
in will the moment. What we found on | 0:24:52 | 0:25:01 | |
the back of the work done straight
after the WannaCry attack was that | 0:25:01 | 0:25:06 | |
even newly installed equipment
systems often had, for example, XP | 0:25:06 | 0:25:12 | |
is the embedded operating system and
that emphasises the point that has | 0:25:12 | 0:25:16 | |
been made that gaining the firewall
right and system integrity is as | 0:25:16 | 0:25:22 | |
important as the component where and
over which we might not have direct | 0:25:22 | 0:25:27 | |
control. If you adopted what I was
saying, no manufacturer would be | 0:25:27 | 0:25:33 | |
supplying equipment with XP on it
because they would not be able to | 0:25:33 | 0:25:36 | |
support it? I was going to set the
point of clarification although it | 0:25:36 | 0:25:43 | |
may be a point of additional
confusion. Where XP is running | 0:25:43 | 0:25:50 | |
embedded software, some of that is
under support. The challenge back to | 0:25:50 | 0:25:55 | |
the Windows seven challenge is not
about support, it is about the | 0:25:55 | 0:26:04 | |
challenges of upgrading that
software safely and securely to | 0:26:04 | 0:26:08 | |
protect patients from unintended
harm as a result of the upgrade. For | 0:26:08 | 0:26:13 | |
many of those devices they are under
support and they are continually | 0:26:13 | 0:26:17 | |
supported by the vendor. We can
probably do more between our arms | 0:26:17 | 0:26:25 | |
length bodies to support local
organisations in procuring systems | 0:26:25 | 0:26:29 | |
to make sure they get standard
contract clauses to ensure they keep | 0:26:29 | 0:26:32 | |
things within the existing
up-to-date patch etc. That is | 0:26:32 | 0:26:38 | |
something we can help with as part
of the implementation of the report. | 0:26:38 | 0:26:43 | |
There is a wider point prompted by
your question. Cyber security is a | 0:26:43 | 0:26:52 | |
whole culture that you would need to
build into every decision you take | 0:26:52 | 0:26:56 | |
as opposed to we bought a system,
now how do we procure some cyber | 0:26:56 | 0:27:01 | |
security to go with it? When we look
at the trusts that were less | 0:27:01 | 0:27:13 | |
affected as opposed to more
effective, it seemed to be the ones | 0:27:13 | 0:27:18 | |
that had the sort of wider
governance, the wider board | 0:27:18 | 0:27:23 | |
interest, the ones that have built
cyber security into everything they | 0:27:23 | 0:27:25 | |
do. You will have heard a lot about
getting the basics right. Had you | 0:27:25 | 0:27:34 | |
done your patching, had you done
your backing up, had you | 0:27:34 | 0:27:37 | |
isolated...? These are things which
are hugely complicated things to | 0:27:37 | 0:27:44 | |
think of. They can be complicated
things to do, but there is an awful | 0:27:44 | 0:27:48 | |
lot of this which is not about what
the IT you need, but it is about the | 0:27:48 | 0:27:53 | |
wider leadership and that is for all
organisations up to national level. | 0:27:53 | 0:28:00 | |
One of the other things we should
bring out here is you should not | 0:28:00 | 0:28:09 | |
always go to contract when you have
a problem. When we are putting in | 0:28:09 | 0:28:13 | |
systems that we oversee we do secure
by design which means prior to | 0:28:13 | 0:28:17 | |
anything going live we have got
service acceptance criteria that | 0:28:17 | 0:28:22 | |
says from a business and technical
perspective, have they met the | 0:28:22 | 0:28:27 | |
requirement that the business need?
If we can get back right, it makes | 0:28:27 | 0:28:31 | |
it easier in terms of some of the
remediation because you know where | 0:28:31 | 0:28:35 | |
your gaps are. Thank you. How
certain are you that no harm was | 0:28:35 | 0:28:43 | |
caused to any of the NHS England's
patience as a result of the attack? | 0:28:43 | 0:28:48 | |
No harm has been identified. We have
a process for identifying incidents | 0:28:48 | 0:28:55 | |
where our trusts report where those
have arisen and as reported in the | 0:28:55 | 0:29:01 | |
report that is the position that we
are aware of. That is also true in | 0:29:01 | 0:29:07 | |
Scotland and although we are
principally concerned with England | 0:29:07 | 0:29:10 | |
today, as I understand it 11 out of
14 Scottish health boards and the | 0:29:10 | 0:29:16 | |
Scottish Ambulance Service were also
affected. How long did it take for | 0:29:16 | 0:29:23 | |
NHS England to reschedule all the
cancelled and postponed | 0:29:23 | 0:29:25 | |
appointments? NHS England itself
does not do it, but that would have | 0:29:25 | 0:29:31 | |
been within days of the original
referrals. By way of context, one | 0:29:31 | 0:29:40 | |
patient treatment deferred is one
too many, but the NHS does look | 0:29:40 | 0:29:44 | |
after 1 million people a day and the
estimate is that that was 19,500 of | 0:29:44 | 0:29:55 | |
those million appointments that may
have been affected in terms of | 0:29:55 | 0:29:57 | |
outpatient appointments. It is
obviously regrettable, but a small | 0:29:57 | 0:30:01 | |
proportion. Can you quantify the
cost to the NHS from the cyber | 0:30:01 | 0:30:08 | |
attack and the postponement of the
appointments and all the overtime | 0:30:08 | 0:30:11 | |
that had to be worked as a result?
As the report says, we have not got | 0:30:11 | 0:30:17 | |
a national estimate of that and I am
not sure whether one has been | 0:30:17 | 0:30:21 | |
compiled in Scotland either. But in
effect a lot of people voluntarily | 0:30:21 | 0:30:28 | |
went the extra mile to sort out the
situation, not only for those of us | 0:30:28 | 0:30:33 | |
who are involved and set the weekend
and the following week, and I want | 0:30:33 | 0:30:39 | |
to pay tribute to front-line IT
staff, GP staff across hospital | 0:30:39 | 0:30:46 | |
systems and international bodies who
really did go that extra mile, | 0:30:46 | 0:30:50 | |
obviously that is an inconvenience,
but people put patients first. When | 0:30:50 | 0:31:02 | |
you say voluntarily, did some people
work unpaid overtime to help with | 0:31:02 | 0:31:06 | |
the problem? For example, will spend
the weekend Darren Berkshire helping | 0:31:06 | 0:31:12 | |
them and many people did a lot to
help out. It was remarkable that | 0:31:12 | 0:31:19 | |
over the course of the weekend by
the Sunday night an enormous | 0:31:19 | 0:31:23 | |
programme had been put in place to
sort out GP surgeries. Obviously | 0:31:23 | 0:31:29 | |
coming online on Monday morning, I
was at the GP surgery on Monday | 0:31:29 | 0:31:34 | |
morning at half past seven to look
directly at the issues were | 0:31:34 | 0:31:37 | |
affecting patient care and there was
mass mobilisation across the whole | 0:31:37 | 0:31:41 | |
NHS that weekend. Your focus is on
the health care rather than the cost | 0:31:41 | 0:31:49 | |
aspect. But do you have any idea of
how much overtime was accumulated | 0:31:49 | 0:31:55 | |
during that period? It would give an
approximate estimate. We do not and | 0:31:55 | 0:31:59 | |
the report does not say there is a
national measurement of that. Simon | 0:31:59 | 0:32:11 | |
said generally people did what they
needed to do just as extra. There | 0:32:11 | 0:32:18 | |
would have been some overtime but at
a national level you would not have | 0:32:18 | 0:32:22 | |
seen any difference during a normal
accounting period. How long is a | 0:32:22 | 0:32:29 | |
piece of string question, but how
much worse could this attack have | 0:32:29 | 0:32:33 | |
been if it had not been during the
quieter period of summer and if we | 0:32:33 | 0:32:38 | |
had not had an IT expert that found
the kill switch so quickly? I would | 0:32:38 | 0:32:45 | |
not want to hazard a guess. We can
be certain that it would have been | 0:32:45 | 0:32:49 | |
worse. After the kill switch was
found we were able to monitor local | 0:32:49 | 0:33:00 | |
organisations, effectively culling
the kill switch. The virus was on | 0:33:00 | 0:33:13 | |
the device and it looked for the
kill switch. 21 organisations culled | 0:33:13 | 0:33:19 | |
the kill switch in that period. So
in the worst-case 21 organisations | 0:33:19 | 0:33:27 | |
may been impacted. Actually that
Karl was to check that there was a | 0:33:27 | 0:33:36 | |
network connection to the switch. It
would have been worse we think, but | 0:33:36 | 0:33:44 | |
I would be loath to put a figure on
it. Can I return to the issue of | 0:33:44 | 0:33:52 | |
cost. You have got quite precise
numbers about the number of patients | 0:33:52 | 0:33:57 | |
affected and likely follow up
appointments that would have been | 0:33:57 | 0:34:00 | |
cancelled, although it is harder for
you to be more precise about some | 0:34:00 | 0:34:03 | |
other aspects of the impact. Why has
no assessment be made as to the | 0:34:03 | 0:34:09 | |
overall cost? That figure would be
helpful in understanding the impact | 0:34:09 | 0:34:13 | |
this has had on the NHS. It is
important to say we had a | 0:34:13 | 0:34:20 | |
conversation with the fieldworkers.
This data collection was to | 0:34:20 | 0:34:29 | |
understand what the impact was and
where the impact occurred so that we | 0:34:29 | 0:34:33 | |
could manage it effectively to make
sure resurfaces were directed to | 0:34:33 | 0:34:37 | |
those pies of the NHS that require
support. We did not set out to try | 0:34:37 | 0:34:44 | |
and numerate all of the impact, all
of the costs, because we were | 0:34:44 | 0:34:49 | |
focused on resolving the incident.
And then we did have a conversation | 0:34:49 | 0:34:53 | |
with colleagues after the incident
while the report was being developed | 0:34:53 | 0:34:58 | |
as to whether we should do a
separate data collection and we had | 0:34:58 | 0:35:03 | |
a relatively robust discussion about
it and the view that I gave was I | 0:35:03 | 0:35:08 | |
did not believe that would help us
understand what happened any better | 0:35:08 | 0:35:13 | |
than we knew during the incident and
I was not convinced it would change | 0:35:13 | 0:35:17 | |
those things that we would do in the
future to prevent an attack. That is | 0:35:17 | 0:35:22 | |
why we do not have an answer to
those questions. You rightly point | 0:35:22 | 0:35:28 | |
out to patients the impact the
impact it would have on the NHS, the | 0:35:28 | 0:35:33 | |
financial impact when a patient
fails to attend an appointment. | 0:35:33 | 0:35:39 | |
Would it not be possible to have
something similar here so we can get | 0:35:39 | 0:35:43 | |
an impact on cyber security? The
underlying point is that everyone | 0:35:43 | 0:35:50 | |
can see that lots of things need to
change and in the sense that | 0:35:50 | 0:35:55 | |
argument has already been won. The
fact that we are now explicitly | 0:35:55 | 0:36:01 | |
changing the way in which our
individual organisations get | 0:36:01 | 0:36:03 | |
support, targeted investment outside
the security, and that case has been | 0:36:03 | 0:36:10 | |
understood. You do not think it
would be helpful for organisation to | 0:36:10 | 0:36:15 | |
understand there would be a cost for
this? I think organisations would | 0:36:15 | 0:36:20 | |
sigh a bit if we sent out a new set
of forms for people to complete | 0:36:20 | 0:36:26 | |
estimating what the marginal costs
of an event last May would be. I do | 0:36:26 | 0:36:33 | |
not think practically speaking it
would affect the action that now | 0:36:33 | 0:36:35 | |
needs to be, and is being, taken.
But you are telling patients how | 0:36:35 | 0:36:41 | |
much it costs when they miss an
appointment. Is that a waste of | 0:36:41 | 0:36:44 | |
time? | 0:36:44 | 0:36:53 | |
That in itself would be very costly.
Bit you frequently get reminders | 0:36:53 | 0:36:58 | |
saying if you fail to attend an
appointment this will cost the NHS | 0:36:58 | 0:37:03 | |
£120. There are those figures as to
around. That is an important driver | 0:37:03 | 0:37:09 | |
in patient behaviour. Is it not
helpful for organisations to | 0:37:09 | 0:37:13 | |
understand that failing to act in
making sure their cyber security | 0:37:13 | 0:37:18 | |
responsibilities are being
discharged comes with a financial | 0:37:18 | 0:37:21 | |
cost as well ) yes, but I don't
think that is the principal | 0:37:21 | 0:37:25 | |
argument. I think the principal
argument is about patient safety and | 0:37:25 | 0:37:34 | |
the continuity of care that we can
offer. WannaCry was the first act of | 0:37:34 | 0:37:39 | |
its kind on health and care system.
We were not the only organisation by | 0:37:39 | 0:37:44 | |
any means affected around the world.
The German role ways, the Russian | 0:37:44 | 0:37:51 | |
interior ministry, Nissan, Renault,
various others were also affected -- | 0:37:51 | 0:37:55 | |
the German railways. It was the
impetus for change and improvement | 0:37:55 | 0:37:59 | |
right across the health service
regardless. To add to that, I don't | 0:37:59 | 0:38:04 | |
think we have got any evidence that
anyone in the NHS was not taking | 0:38:04 | 0:38:11 | |
this seriously. If you referred to
what the CQC and the national data | 0:38:11 | 0:38:18 | |
Guardian said in 2016, one of their
quotes was there was evident | 0:38:18 | 0:38:22 | |
widespread commitment to data
security and staff facing a | 0:38:22 | 0:38:31 | |
challenge in translating the
commitment into practice. I don't | 0:38:31 | 0:38:35 | |
think our challenge was persuading
people in the NHS with data security | 0:38:35 | 0:38:41 | |
is important. Certainly post
WannaCry I don't think there is | 0:38:41 | 0:38:44 | |
anyone in the NHS who would be
saying that. I don't think we do | 0:38:44 | 0:38:48 | |
need to prove to be taking this
seriously, it is equipping people | 0:38:48 | 0:38:54 | |
with the tools to turn that into
positive action of the type that Rob | 0:38:54 | 0:38:59 | |
and Will have been describing.
Understand the point you're making | 0:38:59 | 0:39:03 | |
but the same could be said of a
number of other things. It is | 0:39:03 | 0:39:09 | |
helpful for us to understand. No one
sets out to have a cyber attack | 0:39:09 | 0:39:14 | |
where there is an inadequate
response or people are not fully | 0:39:14 | 0:39:17 | |
prepared but there are good
intentions and then making sure you | 0:39:17 | 0:39:20 | |
have done what you need to do to set
it right. And we agree with that. | 0:39:20 | 0:39:24 | |
And a number of things we have set
in place are about ensuring that | 0:39:24 | 0:39:31 | |
compliance of things that NHS
digital send out and others are | 0:39:31 | 0:39:34 | |
exactly the region that you save. On
the straight costing question, the | 0:39:34 | 0:39:41 | |
truth is, it does not fall out of
the data we regularly collect from | 0:39:41 | 0:39:46 | |
trusts and others. Other than the
very macrolevel described earlier, | 0:39:46 | 0:39:53 | |
we would need to get an accurate
number and do an entirely separate | 0:39:53 | 0:39:57 | |
data collection which places burdens
all the way through the system, and | 0:39:57 | 0:40:02 | |
for the reasons Will explained, we
do not see doing a specific data | 0:40:02 | 0:40:10 | |
collection as a particularly
positive thing. Now, that is clearly | 0:40:10 | 0:40:14 | |
a debatable position. I think the
National Audit Office would probably | 0:40:14 | 0:40:17 | |
have taken a different decision but
that is the decision that was taken. | 0:40:17 | 0:40:22 | |
Ideally, we would have a number but
we don't. I agree with exactly what | 0:40:22 | 0:40:28 | |
Chris and Simon has said. Looking
back would not give off any help at | 0:40:28 | 0:40:31 | |
all. If I was ICT director in a
local trust, I would want to have | 0:40:31 | 0:40:35 | |
some idea that if this happens
again, in terms of how can I make a | 0:40:35 | 0:40:40 | |
compelling argument that we should
be investing insider security, and | 0:40:40 | 0:40:43 | |
one of the way they would do that is
how much it costs in terms of | 0:40:43 | 0:40:47 | |
remediation. How do you balance the
risk of prevention in terms of | 0:40:47 | 0:40:52 | |
remediation? Looking | 0:40:52 | 0:41:03 | |
backward not help. Even if
organisations were able to say this | 0:41:04 | 0:41:06 | |
is the rough order of magnitude for
an attack, it helps build their case | 0:41:06 | 0:41:09 | |
for what they should be spending on
defences. Just to supplement what | 0:41:09 | 0:41:11 | |
he's saying, it would help
accountability. It is quite | 0:41:11 | 0:41:15 | |
convenient that it is proven not to
be practical among other things | 0:41:15 | 0:41:19 | |
which are practical. And they'll
slow think with this list of | 0:41:19 | 0:41:23 | |
initiatives we have here, there are
a couple of one-off numbers | 0:41:23 | 0:41:27 | |
associated, but not a proper costing
on what it is going to cost and is | 0:41:27 | 0:41:36 | |
that a practical number in context
of the pressures on the NHS budget. | 0:41:36 | 0:41:38 | |
It is not old-fashioned or
retrospective to say when these | 0:41:38 | 0:41:40 | |
things happen, it is part of
assessing the seriousness of the | 0:41:40 | 0:41:44 | |
event in terms of the accountability
of parliament, or practicalities of | 0:41:44 | 0:41:48 | |
the forward plan, to understand to
the best of the NHS's ability what | 0:41:48 | 0:41:53 | |
are the costs are that are
concerned. I do think that is | 0:41:53 | 0:41:58 | |
terribly, no one is suggesting a
retrospective thing now or | 0:41:58 | 0:42:02 | |
exaggerating, it is normal
accountability. Do you think that is | 0:42:02 | 0:42:07 | |
-- I don't think that is a bridge
too far personally. Since there were | 0:42:07 | 0:42:14 | |
clearly strongly held opinions on
this matter, I am quite happy to go | 0:42:14 | 0:42:18 | |
and look again at whether there is
some way of coming to a global | 0:42:18 | 0:42:24 | |
number. I don't think it would be an
audible number -- and auditable | 0:42:24 | 0:42:30 | |
number that you would expect. I'm
quite happy to go and look again at | 0:42:30 | 0:42:35 | |
that. We will face up to the
technical challenges! As I say, if | 0:42:35 | 0:42:42 | |
there is some way we can manipulate
existing data to give ourselves a | 0:42:42 | 0:42:47 | |
global sum then I can see that. What
we don't want to do for reasons that | 0:42:47 | 0:42:52 | |
Simon was explaining is to go back
to people who take this very | 0:42:52 | 0:42:58 | |
seriously and could do a further
burden. At this point, can one of | 0:42:58 | 0:43:03 | |
you clarify to us for this
committee, exactly what resources | 0:43:03 | 0:43:07 | |
are being devoted to decide the
issue? Because we have had the whole | 0:43:07 | 0:43:16 | |
idea of transferring money from the
capital budget to the revenue | 0:43:16 | 0:43:21 | |
budget, perhaps you can clarify for
us, what resources you are now | 0:43:21 | 0:43:25 | |
devoting to the cyber problem within
the NHS? With national spend is | 0:43:25 | 0:43:36 | |
divided between what we basically
allocate to IT nationally and what | 0:43:36 | 0:43:41 | |
trusts and others choose to spend
themselves? Over a Spending Review | 0:43:41 | 0:43:45 | |
period from 2015 to 2020, we have
allocated I think 4.2 billion to IT | 0:43:45 | 0:43:55 | |
programmes. Our cyber security
investment comes nationally and I | 0:43:55 | 0:44:01 | |
keep emphasising there is a national
bit and a local bit and that comes | 0:44:01 | 0:44:05 | |
out of that 4.2. The original
allocation directly to cyber | 0:44:05 | 0:44:09 | |
security in that was £50 million.
That was supplemented by an | 0:44:09 | 0:44:16 | |
additional 21 million immediately
after WannaCry, namely to deal with | 0:44:16 | 0:44:23 | |
systems and infrastructure issues.
Then, as a part of the | 0:44:23 | 0:44:30 | |
reprioritisation we have done since
WannaCry, we have allocated a | 0:44:30 | 0:44:35 | |
further 25 million this financial
year, and then 150 million over the | 0:44:35 | 0:44:41 | |
following financial years. That is
our direct spend on cyber security. | 0:44:41 | 0:44:47 | |
It is very difficult to get to a
number of what you spend on cyber | 0:44:47 | 0:44:51 | |
security, for some of the reasons
you were stating earlier. When you | 0:44:51 | 0:44:56 | |
upgrade your systems you enhance
your cyber security and it is | 0:44:56 | 0:45:00 | |
frequently better to upgrade your
systems than to spend a specific | 0:45:00 | 0:45:04 | |
amount on cyber. A lot of the other
spending on IT will be contributing | 0:45:04 | 0:45:08 | |
to cyber security but those are our
direct investments. Can we assume | 0:45:08 | 0:45:14 | |
from that answer, that from the
report that Mr Smart has produced | 0:45:14 | 0:45:21 | |
with 22 recommendations, that there
will be sufficient funds to | 0:45:21 | 0:45:26 | |
implement his recommendations? What
we have said and I hope this is | 0:45:26 | 0:45:29 | |
clear in what we published, is that
we have re-prioritised the 25 | 0:45:29 | 0:45:34 | |
million we are going to spend this
year and the 150 million as the | 0:45:34 | 0:45:38 | |
initial amounts that we will spend
on implementing all this, we will | 0:45:38 | 0:45:45 | |
keep that amount under review, both
in terms of how we are getting on | 0:45:45 | 0:45:52 | |
with implementing what Will has
recommended, and of course, the | 0:45:52 | 0:45:57 | |
assessment of the evolving threat. I
know that doesn't sound very clear, | 0:45:57 | 0:46:03 | |
but it is at the heart of our
challenge here, that this is not a | 0:46:03 | 0:46:10 | |
static issue with our friends in the
National Cyber Security Centre, we | 0:46:10 | 0:46:16 | |
are constantly monitoring for what
the next threat of -- set of threats | 0:46:16 | 0:46:22 | |
are and trying to stay one step
ahead of the people who are playing | 0:46:22 | 0:46:25 | |
games with us. We are looking at
what have they just done, where have | 0:46:25 | 0:46:30 | |
they blocked a potential problem and
where can we go that they have not | 0:46:30 | 0:46:34 | |
thought of next? Those are the
initial investments we have made but | 0:46:34 | 0:46:37 | |
we will keep that amount under
review. Things I should add, as we | 0:46:37 | 0:46:42 | |
have already I hope has become
clear, loss of these things are not | 0:46:42 | 0:46:50 | |
about money. They are about culture
and practice and systems, though | 0:46:50 | 0:46:54 | |
money is of course important. And
individual trusts, and indeed other | 0:46:54 | 0:47:03 | |
institutions in the NHS are
responsible for their own cyber | 0:47:03 | 0:47:06 | |
security and need to be investing
their own money in it. So we're not | 0:47:06 | 0:47:11 | |
saying that what we have announced
there is the sum total of what needs | 0:47:11 | 0:47:17 | |
to be to protect the NHS, we spend
money nationally on things that go | 0:47:17 | 0:47:24 | |
beyond the individual institutions
like the NHS spine, things where | 0:47:24 | 0:47:29 | |
there is a clear economy of scale,
where we can do it on the half of | 0:47:29 | 0:47:34 | |
the system, and things where we are
helping to create the framework in | 0:47:34 | 0:47:45 | |
which the rest of the NHS can
operate well, like those things | 0:47:45 | 0:47:52 | |
which can give advice. That is what
we allocate central money to. | 0:47:52 | 0:47:58 | |
Resources for the defence of an
individual trust or an individual GP | 0:47:58 | 0:48:05 | |
come out of their resources rather
than hours. So it is a complicated | 0:48:05 | 0:48:09 | |
picture, but we try to keep that
distinction between what it is right | 0:48:09 | 0:48:13 | |
to spend nationally, and what it is
right to leave to local trust boards | 0:48:13 | 0:48:18 | |
to deal with their own
circumstances. One thing that really | 0:48:18 | 0:48:27 | |
concerns me, and it comes back to my
first words I think at the beginning | 0:48:27 | 0:48:32 | |
of this session is your department
has now been given additional | 0:48:32 | 0:48:36 | |
responsibilities for the social care
sector. I am very concerned, given | 0:48:36 | 0:48:40 | |
its diffuse nature about a cyber
attack on the social care system, if | 0:48:40 | 0:48:45 | |
we had large numbers of care homes,
for example, not being able to | 0:48:45 | 0:48:50 | |
operate because they were attacked
by a cyber attack, are you looking | 0:48:50 | 0:48:55 | |
at that whole aspect? We have always
had the responsibility for cyber | 0:48:55 | 0:49:01 | |
security and social care, and that
is not something that is transferred | 0:49:01 | 0:49:06 | |
in with the new name. I will leave
Will to say in that -- to say little | 0:49:06 | 0:49:15 | |
more. One question, is this
technology dependent than a trust | 0:49:15 | 0:49:22 | |
hospital is? I would say it is much
more difficult to defend because of | 0:49:22 | 0:49:26 | |
its very dicey 's nature as you say.
-- diffuse nature. But the nature of | 0:49:26 | 0:49:35 | |
threat is probably less because it
is less on high-end IT and | 0:49:35 | 0:49:41 | |
diagnostics to run its day-to-day
business. Will, you looked at some | 0:49:41 | 0:49:46 | |
of these questions. We know the NHS
is made up of a large number of | 0:49:46 | 0:49:52 | |
independent organisations, 8000 GP
practices and hospital trusts. There | 0:49:52 | 0:49:57 | |
are 20,000 providers of social care
across England, and they range from | 0:49:57 | 0:50:03 | |
small single organisations through
to large groups so we know we have a | 0:50:03 | 0:50:09 | |
real challenge. We are chilly have,
following WannaCry, not very much | 0:50:09 | 0:50:14 | |
evidence about how WannaCry
implicated social care and one of | 0:50:14 | 0:50:19 | |
the recommendations in my report is
about actually commissioning | 0:50:19 | 0:50:24 | |
research to better understand both
the cyber security stance of social | 0:50:24 | 0:50:29 | |
care, but more importantly, to
identify what are the right levels | 0:50:29 | 0:50:33 | |
of protections that need to be in
place in social care, because I | 0:50:33 | 0:50:38 | |
think I know that we don't know that
very well. That said, health was | 0:50:38 | 0:50:46 | |
particularly impacted by WannaCry
because of the National NHS network | 0:50:46 | 0:50:52 | |
which connects every NHS
organisation together. That was, I | 0:50:52 | 0:50:55 | |
think to the best of our knowledge,
Rob can confirm the route of | 0:50:55 | 0:51:01 | |
transmission of WannaCry, those
20,000 social care organisations in | 0:51:01 | 0:51:04 | |
general are not connected to that
network so in some sense that | 0:51:04 | 0:51:07 | |
provides some isolation. Local
government organisations which was | 0:51:07 | 0:51:12 | |
picked up in the NA oh report, no
local authority was affected by | 0:51:12 | 0:51:19 | |
WannaCry and therefore the impact on
that part of the social care network | 0:51:19 | 0:51:25 | |
was more to do with challenges
around sharing data between health | 0:51:25 | 0:51:32 | |
and social care, the interface, so
we do need to do more work. We | 0:51:32 | 0:51:35 | |
recognise it and I hope we would
come back with more detail. | 0:51:35 | 0:51:43 | |
Could you tell us, you are moving
away from the Internet system into | 0:51:43 | 0:51:48 | |
the NHS e-mail system. What is the
timetable for that? We are moving | 0:51:48 | 0:51:58 | |
away from an three, which is the
current network that is provided by | 0:51:58 | 0:52:02 | |
BT. There will be a transition
network that is available whilst | 0:52:02 | 0:52:07 | |
organisations are able to migrate
onto the new health and social care | 0:52:07 | 0:52:12 | |
network. As more organisations move
away from that, what that does is, | 0:52:12 | 0:52:16 | |
it is a single entity and the health
and social care network is a number | 0:52:16 | 0:52:22 | |
of providers providing the service,
said that will make it easier for us | 0:52:22 | 0:52:25 | |
if we got to the situation where we
had a mass attack because it would | 0:52:25 | 0:52:29 | |
not attack everybody. Those
transfers will happen over the next | 0:52:29 | 0:52:33 | |
couple of years. What is the
timetable before that transformation | 0:52:33 | 0:52:38 | |
will be complete? Two or three
years. A lot of it is the speed of | 0:52:38 | 0:52:48 | |
how long organisations take to
migrate. The first set of | 0:52:48 | 0:52:53 | |
organisations have migrated onto the
health and social care network and | 0:52:53 | 0:52:56 | |
we have a number of providers
supplying those services. We need to | 0:52:56 | 0:53:01 | |
make sure we do not end up with a
long tail and we keep the transition | 0:53:01 | 0:53:05 | |
network going for a longer period
because organisations are moving | 0:53:05 | 0:53:09 | |
across. There will be incentives and
making sure that people do not | 0:53:09 | 0:53:13 | |
languish and become the last ones in
moving across. In terms of the | 0:53:13 | 0:53:18 | |
response to the attack, can I ask
first of all why the plan had not | 0:53:18 | 0:53:24 | |
been tested for a response to a
cyber attack? We had a plan to test. | 0:53:24 | 0:53:32 | |
It was purely timing. We had in
place plans to test and WannaCry | 0:53:32 | 0:53:41 | |
hits before we had a chat to do it.
Who was responsible overall for | 0:53:41 | 0:53:47 | |
leading the response? At which
point? In terms of my understanding | 0:53:47 | 0:53:57 | |
of the response to WannaCry. Who is
responsible? On Friday the 12th we | 0:53:57 | 0:54:04 | |
decided during the course of the day
when it became apparent the nature | 0:54:04 | 0:54:08 | |
of the attack, that we would manage
this through the emergency | 0:54:08 | 0:54:13 | |
preparedness and response EPR
arrangements that we use for any | 0:54:13 | 0:54:15 | |
major attack across the NHS. At that
point the NHS in London stepped up | 0:54:15 | 0:54:22 | |
with our partners around the table
here to run that. Since then we have | 0:54:22 | 0:54:28 | |
now done a dry run through the kind
of scenarios that we would expect in | 0:54:28 | 0:54:36 | |
future tax and we now have a clear
IT specific cyber operating plan | 0:54:36 | 0:54:45 | |
that would kick in in the event of a
similar type of event in the future. | 0:54:45 | 0:54:51 | |
That was not in place then? That was
one of the things that came out of | 0:54:51 | 0:54:58 | |
WannaCry and some of the actions
that have been taken, yes. The NHS | 0:54:58 | 0:55:05 | |
emergency response system is tested
and it performs as it always does, | 0:55:05 | 0:55:19 | |
excellently. I admit we could have
been slicker and there were some | 0:55:19 | 0:55:32 | |
things that we presumed different
about a cyber attack than other | 0:55:32 | 0:55:40 | |
types of incident. But the plan did
basically work. The issues were | 0:55:40 | 0:55:51 | |
before. You see this in loss of
crisis situations. One of the | 0:55:51 | 0:55:56 | |
biggest issues is when do you call
it? When something is happening in a | 0:55:56 | 0:56:04 | |
couple of hospitals is reported when
the tip over to be a major incident? | 0:56:04 | 0:56:11 | |
When do you put the machinery in
place? That is always an issue. Can | 0:56:11 | 0:56:18 | |
I challenge the assertion that it
did work. It worked with a bit of | 0:56:18 | 0:56:22 | |
luck, the plan, didn't it? The kill
switch came in and help do, but | 0:56:22 | 0:56:30 | |
people did not know how to
communicate with your department and | 0:56:30 | 0:56:34 | |
the organisations. They had to use
mobile phones or whatever. I do not | 0:56:34 | 0:56:41 | |
know if that particular document,
for obvious reasons it is it not in | 0:56:41 | 0:56:47 | |
the public domain, but can you
assure us if a future incident | 0:56:47 | 0:56:50 | |
happens that people would know how
to communicate with your department | 0:56:50 | 0:56:54 | |
and organisation and there is a set
protocol for doing so? That is the | 0:56:54 | 0:57:01 | |
situation that arose that weekend
and arrangements have been put in | 0:57:01 | 0:57:06 | |
place subsequently to deal with
that. I don't know how much you want | 0:57:06 | 0:57:09 | |
us to say. I do not want you to give
anything away. Presumably the | 0:57:09 | 0:57:15 | |
document is confidential. Aspects of
it are public. I would say that NHS | 0:57:15 | 0:57:25 | |
digital colleagues have put in place
a mechanism to communicate directly | 0:57:25 | 0:57:29 | |
across the service. Across the NHS a
tremendous amount of work has been | 0:57:29 | 0:57:36 | |
done about joining up networks and
they have created weekly text alerts | 0:57:36 | 0:57:43 | |
that connects to every CIO and
service to provide that | 0:57:43 | 0:57:49 | |
communication. We have learned the
lessons we need for multiple | 0:57:49 | 0:57:53 | |
communication channels to be in
place and I hope we do not need to | 0:57:53 | 0:58:01 | |
use it for a long time. The
communications system that was in | 0:58:01 | 0:58:08 | |
place for EDI systems which worked
with individual trusts did work. One | 0:58:08 | 0:58:14 | |
of the things we learned from the
incident is you need a wider range | 0:58:14 | 0:58:18 | |
of people to communicate with. It is
not that the plans in place did not | 0:58:18 | 0:58:23 | |
work, they did, it is that you need
more than that. I am grateful for | 0:58:23 | 0:58:30 | |
the clarification. Regardless of
where you are in the country, there | 0:58:30 | 0:58:38 | |
would be an understanding of where
to come in the event of a cyber | 0:58:38 | 0:58:43 | |
attack? People on the ground would
know who to come to and have quickly | 0:58:43 | 0:58:47 | |
to do that? They would know where
their responsibilities lie? We are | 0:58:47 | 0:58:53 | |
very clear that if there was a
suspicion in any organisation that | 0:58:53 | 0:58:57 | |
there may be a cyber attack, the
first port of call is the NHS | 0:58:57 | 0:59:03 | |
digital security operations centre.
NHS Digital will assess the risk and | 0:59:03 | 0:59:07 | |
within an hour of an initial contact
with NHS Digital, they will have a | 0:59:07 | 0:59:15 | |
discussion and I will take the
decision as to how we deal with it | 0:59:15 | 0:59:23 | |
and we have a process to proactively
manage that. Had GDR been in place, | 0:59:23 | 0:59:31 | |
how ready would it have been able to
respond in a timely fashion to the | 0:59:31 | 0:59:38 | |
data breaches? The NHS already has a
history, we report breaches, we have | 0:59:38 | 0:59:46 | |
been transparent about that. I do
not think GDR impact the way we | 0:59:46 | 0:59:51 | |
report those preachers. Do you think
the NHS and its constituent parts | 0:59:51 | 0:59:56 | |
are ready for GDR in the broadest
sense? Is there an understanding | 0:59:56 | 1:00:03 | |
about what needs to be done?
Certainly in our organisation we | 1:00:03 | 1:00:12 | |
have got a full programme to become
compliant and with the type of | 1:00:12 | 1:00:17 | |
organisation we are you would expect
that is the case. We have had our | 1:00:17 | 1:00:21 | |
internal audit group come in and
look at where we are early in the | 1:00:21 | 1:00:25 | |
year and we have a follow up in
April to make sure we have a strong | 1:00:25 | 1:00:28 | |
plan to become compliant with GDP
are. Local organisations will be | 1:00:28 | 1:00:34 | |
doing their own planning. There is
no central oversight in terms of | 1:00:34 | 1:00:37 | |
whether they are on track to do
that. But the IT Toolkit that used | 1:00:37 | 1:00:43 | |
to put a lot of guidance out about
data protection has been replaced. | 1:00:43 | 1:00:48 | |
It was another recommendation in the
review because before it was a tick | 1:00:48 | 1:00:58 | |
box exercise that the Toolkit
became, so we have made it more into | 1:00:58 | 1:01:02 | |
a data security protection Toolkit
to give local organisations more | 1:01:02 | 1:01:07 | |
information. It is a lighter touch
but the modules in their give more | 1:01:07 | 1:01:12 | |
guidance around Dame Fiona
Caldicot's principles around the | 1:01:12 | 1:01:19 | |
Data Protection Act. It gives staff
up-to-date tools because we need to | 1:01:19 | 1:01:22 | |
explain to people about things like
fishing attacks and how you keep | 1:01:22 | 1:01:27 | |
safe online and how you make sure
you do not fall for e-mail scams. As | 1:01:27 | 1:01:31 | |
part of the readiness to help with
the system we have made sure we are | 1:01:31 | 1:01:39 | |
updating the data security
protection Toolkit so they can | 1:01:39 | 1:01:42 | |
update more support for our
organisations that want to move | 1:01:42 | 1:01:47 | |
towards compliance. The board is
accountable for these issues and | 1:01:47 | 1:01:59 | |
they will be ensuring that the board
are aware of the risks to the | 1:01:59 | 1:02:04 | |
information governance Alliance, a
coalition which will be publishing | 1:02:04 | 1:02:15 | |
information for those organisations
to ensure they are as informed as | 1:02:15 | 1:02:17 | |
they can be as to what the
regulations are. If GDPR had been in | 1:02:17 | 1:02:31 | |
place, would there be any extra
responsibilities upon you as to the | 1:02:31 | 1:02:35 | |
reporting in place? I am not sure.
Where does cyber security rank | 1:02:35 | 1:02:42 | |
alongside your many various
priorities? It is one of our top | 1:02:42 | 1:02:48 | |
risks and these are managed as such.
Actually it is an area where the | 1:02:48 | 1:02:56 | |
Department takes a more active role
in the setting of the work and the | 1:02:56 | 1:03:05 | |
management of it mainly because of
its cross government nature. And | 1:03:05 | 1:03:12 | |
because we are also interfacing with
the cyber Security Centre and | 1:03:12 | 1:03:21 | |
others, so we are... Do you think
the chain of events leading to the | 1:03:21 | 1:03:30 | |
WannaCry attack would demonstrate
that it is up there as one of your | 1:03:30 | 1:03:34 | |
top priorities? Do you think the
evidence in the run-up to the | 1:03:34 | 1:03:37 | |
WannaCry attack would demonstrate
that it is a key priority? In terms | 1:03:37 | 1:03:43 | |
of priority, yes. In the two reports
that were referred to earlier, my | 1:03:43 | 1:03:53 | |
predecessor as permanent Secretary
one of the last things she did was | 1:03:53 | 1:03:58 | |
to review governance of IT including
the security governance and she put | 1:03:58 | 1:04:07 | |
in a new structure, including the
role that we would play which is | 1:04:07 | 1:04:14 | |
looking across on behalf of all of
us the digital and IT issues. I do | 1:04:14 | 1:04:21 | |
not think it is the case that there
was a lack of priority. With | 1:04:21 | 1:04:29 | |
hindsight looking at WannaCry would
it have been even better if those | 1:04:29 | 1:04:34 | |
things had started earlier? Of
course, yes. But certainly since | 1:04:34 | 1:04:42 | |
2015 when our national approach on
cyber security began I do not think | 1:04:42 | 1:04:53 | |
there is a lack of priority. But we
have a huge amount to learn. You are | 1:04:53 | 1:05:00 | |
right to say with the benefit of
hindsight, but was it not the case | 1:05:00 | 1:05:04 | |
that you were lucky this time
because of the timing of the attack, | 1:05:04 | 1:05:08 | |
the kill switch, it was Friday
afternoon, it was not in the middle | 1:05:08 | 1:05:11 | |
of winter? Had any of those factors
come at different points, the | 1:05:11 | 1:05:16 | |
outcome might not have been so
positive? | 1:05:16 | 1:05:22 | |
We have discussed a number of those
things as we have gone along. | 1:05:23 | 1:05:30 | |
Clearly, if this had happened at a
time when the NHS was on the | 1:05:30 | 1:05:34 | |
pressure for other reasons, such as
winter, clearly this would have | 1:05:34 | 1:05:39 | |
multiplied the effect. As Simon
explained earlier, nationally it is | 1:05:39 | 1:05:49 | |
quite a small percentage of NHS
procedures which were affected, | 1:05:49 | 1:05:53 | |
somewhere around 1%. Clearly, if you
put that on top of a point where we | 1:05:53 | 1:06:02 | |
were having problems for other
reasons, that would have a big | 1:06:02 | 1:06:05 | |
effect. On the kill switch, I
discussed this with my colleagues at | 1:06:05 | 1:06:15 | |
the National Cyber Security Centre,
there is clearly some luck in terms | 1:06:15 | 1:06:28 | |
of whether somebody find a
mitigation. What happens in these | 1:06:28 | 1:06:33 | |
cases is as soon as you get an
attack, a large number of people | 1:06:33 | 1:06:38 | |
both the public in private sector --
across both the public and private | 1:06:38 | 1:06:42 | |
sector, look for tech mitigation and
hopefully someone finds one. At | 1:06:42 | 1:06:49 | |
which point, everybody else stops,
as it were. So you clearly could | 1:06:49 | 1:06:55 | |
have a scenario where none of those
people find something. So we were | 1:06:55 | 1:06:59 | |
lucky in a sense that somebody did,
but it is not the case that there | 1:06:59 | 1:07:04 | |
was only one person looking etc. As
it happens, that individual found | 1:07:04 | 1:07:09 | |
one and did so quite quickly and
that clearly mitigated the effect. | 1:07:09 | 1:07:16 | |
But there is some science as well as
some luck involved involved in those | 1:07:16 | 1:07:23 | |
processes. The kill switch as well,
as said earlier, there were 150 | 1:07:23 | 1:07:33 | |
countries impacted by this. The way
National cyber Security works, | 1:07:33 | 1:07:37 | |
whoever finds the kill switch, the
key thing is it is broadcast as | 1:07:37 | 1:07:41 | |
quickly as possible. The fact that
it was found by somebody in this | 1:07:41 | 1:07:46 | |
country, we had already unpicked the
code, it could have been an hour | 1:07:46 | 1:07:50 | |
later or a day later, but we have to
make sure our agreements with the | 1:07:50 | 1:07:54 | |
other countries, whoever finds the
kill switch, the key thing is | 1:07:54 | 1:07:58 | |
communicating that quickly so you
can enact it and reduce the impact | 1:07:58 | 1:08:02 | |
of the attack. I understand what
you're saying, but in the event that | 1:08:02 | 1:08:05 | |
it had taken longer or it had not
happened, what could have been done | 1:08:05 | 1:08:10 | |
to try and mitigate the impact of
the ongoing attack? I think in terms | 1:08:10 | 1:08:18 | |
of what was happening, I think the
command and control were in position | 1:08:18 | 1:08:26 | |
and NHS England worked really well.
Simon Weldon said where he wanted | 1:08:26 | 1:08:30 | |
bits on the ground. All of that was
positive and it was a learning | 1:08:30 | 1:08:35 | |
experience as well. What I would say
is if that had not happened there | 1:08:35 | 1:08:40 | |
would be more business continuity
planning which needed to be taken | 1:08:40 | 1:08:42 | |
into account. There could have been
more organisations in active but we | 1:08:42 | 1:08:49 | |
knew what the impact would be by
then. What this was doing was was | 1:08:49 | 1:08:55 | |
locking out systems. We knew once it
had locked those systems, it was not | 1:08:55 | 1:09:00 | |
changing data. What it was doing was
blocking it. So business continuity | 1:09:00 | 1:09:04 | |
planning kicked in and worked really
well in the NHS. I would like to add | 1:09:04 | 1:09:09 | |
that the kill switch was not the
only thing going on to mitigate the | 1:09:09 | 1:09:15 | |
effect for organisations. Every NHS
organisation up and down the | 1:09:15 | 1:09:19 | |
country, IT engineers were working
in the server farms, in the network | 1:09:19 | 1:09:25 | |
areas, on the PCs to isolate and
make sure everything possible was | 1:09:25 | 1:09:37 | |
done. I do organisations were taking
steps to protect themselves. We | 1:09:37 | 1:09:42 | |
cannot say what the impact would
have been if the kill switch was not | 1:09:42 | 1:09:45 | |
found but we do action was taken
locally and that was having some | 1:09:45 | 1:09:50 | |
preventable effect on the spread.
Suppliers had updated their products | 1:09:50 | 1:09:59 | |
to stop that attack from happening.
Over the weekend, the fact they had | 1:09:59 | 1:10:04 | |
taken their product, uplifted it so
it was no longer a vulnerability | 1:10:04 | 1:10:07 | |
that could be exploited, the number
of organisations that could be | 1:10:07 | 1:10:12 | |
impacted would be reduced as long as
they had antivirus in place. Turning | 1:10:12 | 1:10:17 | |
to the review, can I ask what the
Mac and motivation -- can I ask what | 1:10:17 | 1:10:25 | |
the mechanism for lamenting that
would be? I presented a report. We | 1:10:25 | 1:10:32 | |
will read over the coming weeks the
recommendations and they will no | 1:10:32 | 1:10:38 | |
doubt accept, reject or amend those
recommendations so we have a period | 1:10:38 | 1:10:44 | |
of dialogue to go through. Yes, we
will be using the existing | 1:10:44 | 1:10:50 | |
government mechanisms we used to
manage our IT investments and data | 1:10:50 | 1:10:58 | |
security detectors forward. It is a
complicated picture. It does involve | 1:10:58 | 1:11:08 | |
multiple organisations even at
national level and a lot of the | 1:11:08 | 1:11:10 | |
impairment nation needs to be done
hopefully by individual trusts and | 1:11:10 | 1:11:15 | |
others. I don't want to downplay the
complications but we do think we | 1:11:15 | 1:11:20 | |
have a good structure now for
bringing together the key players in | 1:11:20 | 1:11:30 | |
the NHS, and coming to a single
agreement, and it is that board that | 1:11:30 | 1:11:35 | |
does so. Mr Smart, of your 22
priorities, are there some you would | 1:11:35 | 1:11:42 | |
draw attention to and say that if
you had to pick out a number, these | 1:11:42 | 1:11:45 | |
are the areas of the greatest
importance which would have the | 1:11:45 | 1:11:48 | |
biggest impact? I would obviously
say all 22 are critically important. | 1:11:48 | 1:11:57 | |
If I were to summarise, leadership
is a really critical issue here. We | 1:11:57 | 1:12:02 | |
need boards to being gauged in the
cyber agenda and we need to make | 1:12:02 | 1:12:06 | |
sure that there is appropriate
governance within organisations to | 1:12:06 | 1:12:12 | |
enable clinical risk and technology
risk and operational risk to be | 1:12:12 | 1:12:16 | |
properly managed in the
organisation. One of my mantras over | 1:12:16 | 1:12:20 | |
the past month has been the boards
really need to be owning this agenda | 1:12:20 | 1:12:25 | |
and driving it within the
organisation. That is probably one. | 1:12:25 | 1:12:30 | |
The second area, my first four
recommendations are around | 1:12:30 | 1:12:33 | |
standards. I have worked in local
organisations and I have done my | 1:12:33 | 1:12:38 | |
best to ignore everything that NHS
England and Improvement have told me | 1:12:38 | 1:12:43 | |
that that time. But we absolutely
need to step up and be clearer what | 1:12:43 | 1:12:50 | |
good looks like and what the
standards I like. So the standards | 1:12:50 | 1:12:55 | |
around action plans to implement
cyber are a plus. But also a | 1:12:55 | 1:13:02 | |
recommendation as well, about being
clear about what technology and | 1:13:02 | 1:13:05 | |
technical standards need to be in
place with organisations I think is | 1:13:05 | 1:13:08 | |
really important. And then maybe
thirdly, rather than going through | 1:13:08 | 1:13:14 | |
everyone, what we saw I think in the
WannaCry attack was an environment | 1:13:14 | 1:13:20 | |
which was probably much more
connected in health care than I | 1:13:20 | 1:13:23 | |
think many of us give health care
credit for. We saw, vertically when | 1:13:23 | 1:13:28 | |
we looked at the 46 affected
organisations, that those which did | 1:13:28 | 1:13:33 | |
not have WannaCry infection but were
impacted as a result of decisions | 1:13:33 | 1:13:36 | |
being taken by others to protect
themselves, that we have a very | 1:13:36 | 1:13:42 | |
interconnected NHS. So the
recommendations around looking at | 1:13:42 | 1:13:48 | |
business continuity plans beyond the
boundaries of your own organisation, | 1:13:48 | 1:13:52 | |
to understand who you are connected
to, what the impact of decisions | 1:13:52 | 1:13:55 | |
that you will take on others and the
decisions that they take on your | 1:13:55 | 1:14:00 | |
organisation I think is critical to
insuring that short period of time, | 1:14:00 | 1:14:03 | |
when we have an incident emerging
that we can be confident the right | 1:14:03 | 1:14:08 | |
decisions are being taken. Which
comes on to recommendation 15 which | 1:14:08 | 1:14:14 | |
talks about NHS digital having the
ability to isolate organisations, | 1:14:14 | 1:14:18 | |
parts of the country with particular
services in order to contain the | 1:14:18 | 1:14:23 | |
spread of a virus during an
incident. I want to ask how | 1:14:23 | 1:14:27 | |
impractical terms that would work?
So I think Rob and I had a long | 1:14:27 | 1:14:32 | |
conversation about this this
morning. I think it goes back to the | 1:14:32 | 1:14:35 | |
point I made about business
continuity. This is not something | 1:14:35 | 1:14:40 | |
where we say we are about to switch
off large parts of the network, it | 1:14:40 | 1:14:45 | |
is particularly where together with
the local communities and | 1:14:45 | 1:14:48 | |
organisations, there is an emerging
threat within an organisation that | 1:14:48 | 1:14:52 | |
we take an decision to isolate.
Preventative, I think there is a lot | 1:14:52 | 1:14:57 | |
of work we need to do to make it an
option which is safe and practical | 1:14:57 | 1:15:02 | |
and it would not be something we
would do lightly. Just to add to | 1:15:02 | 1:15:08 | |
that, going back to a provider which
was badly affected at the time, it | 1:15:08 | 1:15:12 | |
has been really interesting to see
how boards have embraced this. I | 1:15:12 | 1:15:16 | |
think boards have learned a lot,
they understand their exposure, | 1:15:16 | 1:15:20 | |
their interconnections on a regional
and national level. You can see an | 1:15:20 | 1:15:24 | |
awful board activity about risk.
None of these things are risk-free. | 1:15:24 | 1:15:29 | |
There is a danger that people think
this is the only risk we have to | 1:15:29 | 1:15:33 | |
deal with. Simple things like
maintaining a CT scan not risk-free. | 1:15:33 | 1:15:44 | |
Often you get simple routine
maintenance and then spent several | 1:15:44 | 1:15:47 | |
days getting the machine fully up
and running again. I think one of | 1:15:47 | 1:15:49 | |
the benefits is it has made board is
much more aware of their | 1:15:49 | 1:15:56 | |
vulnerabilities and this all cannot
sit at a national level. It is very | 1:15:56 | 1:16:00 | |
much knowing what your own risk far,
how you're connected in regional | 1:16:00 | 1:16:03 | |
systems and how you respond and help
each other out at this time. Sir | 1:16:03 | 1:16:08 | |
Chris, do we know how much these
recommendations will cost and is the | 1:16:08 | 1:16:12 | |
money there to deliver on them in
full if that is what the department | 1:16:12 | 1:16:16 | |
decides? Not precisely, no. We have
made an initial reprioritisation of | 1:16:16 | 1:16:24 | |
150 million to this, but for some of
the reasons I explained earlier, we | 1:16:24 | 1:16:27 | |
will keep that under review. As I
say, this is one of the things that | 1:16:27 | 1:16:34 | |
are taking forward Will's report,
the digital delivery board will | 1:16:34 | 1:16:40 | |
consider which overlooks the entire
programme of 4.2 billion across the | 1:16:40 | 1:16:46 | |
Spending Review. We have not tried
to cost individually the individual | 1:16:46 | 1:16:53 | |
recommendations, we have made an
initial investment on resources. We | 1:16:53 | 1:16:59 | |
will keep that under review and we
will take the advice of the delivery | 1:16:59 | 1:17:02 | |
board about where we need to go in
the future. What is more difficult | 1:17:02 | 1:17:07 | |
to engage as we know there will be
costs involved with implement in the | 1:17:07 | 1:17:11 | |
costs of the review, but we do not
know what the unspecified or | 1:17:11 | 1:17:14 | |
undetermined costs of what an attack
of greater magnitude could be so | 1:17:14 | 1:17:21 | |
this may involve significant
spending but it could in the long | 1:17:21 | 1:17:23 | |
run be not only the right thing to
do in terms of patient safety but | 1:17:23 | 1:17:27 | |
save the NHS a lot of money in the
event that a more serious attack | 1:17:27 | 1:17:30 | |
were to occur? Yes, but all these
questions are difficult issues of | 1:17:30 | 1:17:40 | |
the balancing of risk. We were
discussing some of this outside. The | 1:17:40 | 1:17:48 | |
way to best make yourself secure
against cyber attack is to turn | 1:17:48 | 1:17:52 | |
everything off, with obvious
consequences for patients and | 1:17:52 | 1:17:59 | |
others. Likewise, it is possible to
spend considerable sums of money, | 1:17:59 | 1:18:04 | |
and still be vulnerable to attacks
and when you look at attacks across | 1:18:04 | 1:18:11 | |
the board, it has included
organisations that spend huge sums | 1:18:11 | 1:18:17 | |
of money. So the question of
investing wisely is probably more | 1:18:17 | 1:18:26 | |
important here than the actual
quantum, and some of the other | 1:18:26 | 1:18:31 | |
issues that Will was picking out
about culture and cyber security are | 1:18:31 | 1:18:38 | |
again probably more important than
the quantum here. There are clearly | 1:18:38 | 1:18:46 | |
investment questions here which is
why we have made reprioritisation | 1:18:46 | 1:18:55 | |
but you can spend enormous sums of
money and not be secure. Can I add | 1:18:55 | 1:19:01 | |
as well but we have got to make sure
that we future proof this. What we | 1:19:01 | 1:19:07 | |
cannot do is throw public money and
say we will protect now but we are | 1:19:07 | 1:19:11 | |
protecting against the past. We have
to make sure that we have a | 1:19:11 | 1:19:15 | |
well-balanced risk. It is all but
learned protection. We can say we | 1:19:15 | 1:19:19 | |
are doing something at the front
door but someone is climbing through | 1:19:19 | 1:19:22 | |
your back window at same time. You
have to make sure that as you peel | 1:19:22 | 1:19:26 | |
back then onion that you have
different layers of protection and | 1:19:26 | 1:19:30 | |
NHS digital should hopefully with
the money that has been allocated, | 1:19:30 | 1:19:36 | |
do something to reduce the systemic
risk. It does not make sense for | 1:19:36 | 1:19:41 | |
each organisation to monitor
organisations at its perimeter. The | 1:19:41 | 1:19:45 | |
other part of Will's recommendation,
at the minute NHS Digital do not | 1:19:45 | 1:19:50 | |
know what is deployed in all the
major trauma centres, the Ambulance | 1:19:50 | 1:19:54 | |
Service and big foundation trusts.
If we knew what was deployed and | 1:19:54 | 1:19:58 | |
then we have a threat, we can make
targeted analysis and we can make it | 1:19:58 | 1:20:04 | |
at individual organisation level.
That sex with some of the guidance | 1:20:04 | 1:20:06 | |
and it makes it much more specific.
I know in terms of the | 1:20:06 | 1:20:11 | |
recommendations, I know it talks
about switching people of the | 1:20:11 | 1:20:13 | |
system, but a crucial thing is about
understanding what is deployed and | 1:20:13 | 1:20:25 | |
what the threat and ounces. That is
certainly a big priority for me. Can | 1:20:25 | 1:20:36 | |
you give an idea of where we would
expect to be in six months from now | 1:20:36 | 1:20:40 | |
and how we would complete all 22? We
are already undertaking a great deal | 1:20:40 | 1:20:47 | |
of work around cyber protection,
remediation etc as we speak. All of | 1:20:47 | 1:20:52 | |
these actions will start
immediately. Some of them have a | 1:20:52 | 1:20:55 | |
longer lead time and again, we need
to have a detailed conversation with | 1:20:55 | 1:21:01 | |
the data security leadership board
as to what the appropriate plan and | 1:21:01 | 1:21:05 | |
timescale for that looks like, so I
would expect that over the next few | 1:21:05 | 1:21:11 | |
weeks, months, we will be able to
come back with a much clearer plan | 1:21:11 | 1:21:16 | |
and timetable. We are coming towards
the end. Can I have some quickfire | 1:21:16 | 1:21:23 | |
questions? Principally to Sir Chris
and Simon Stevens. Can you tell us | 1:21:23 | 1:21:28 | |
where we have got with the care cert
system. How many organisations are | 1:21:28 | 1:21:37 | |
signed up for the care cert portal
and how many organisations have | 1:21:37 | 1:21:41 | |
registered technical compliance? So
care cert, we have worked with the | 1:21:41 | 1:21:49 | |
leaders both with NHS England and
NHS Improvement and all the | 1:21:49 | 1:21:53 | |
foundation trusts are signed up to
it. There are some benefits to that. | 1:21:53 | 1:21:57 | |
It is not a case of signing up and
we can contact them, where it is | 1:21:57 | 1:22:04 | |
dividing enhanced threat protection,
we have done a customised agreement | 1:22:04 | 1:22:09 | |
so that organisations can download
patches. Round about a third of all | 1:22:09 | 1:22:15 | |
trusts have downloaded patches from
the service. But does not mean two | 1:22:15 | 1:22:19 | |
thirds haven't. This is to support
software which was not previously | 1:22:19 | 1:22:26 | |
supported. Care cert is moving
forward. There is a number of things | 1:22:26 | 1:22:33 | |
we have put forward around
vulnerability scanning. There are | 1:22:33 | 1:22:37 | |
things we can do with the funds
allocated. We need to make sure we | 1:22:37 | 1:22:42 | |
prioritise things in terms of impact
and what the systemic risk is in | 1:22:42 | 1:22:47 | |
terms of value for money. In terms
of signing up, I'm pleased to say | 1:22:47 | 1:22:52 | |
that through NHS England and NHS
England, there is 100% sign up now | 1:22:52 | 1:22:56 | |
from the trusts. The high-risk are
fully signed up. | 1:22:56 | 1:23:07 | |
Are you sure in your own mind both
your organisations have a hand on | 1:23:07 | 1:23:12 | |
preparedness in the event of an
attack? Or are there other | 1:23:12 | 1:23:18 | |
organisations out there that are
still unprepared? I think we have | 1:23:18 | 1:23:24 | |
got much better visibility than we
had in May about the situation. What | 1:23:24 | 1:23:28 | |
we are focusing the 25 million
second tranche of funding this year | 1:23:28 | 1:23:35 | |
is for those organisations that have
vulnerabilities around some of the | 1:23:35 | 1:23:40 | |
high-level care issues that were
identified and to address the media | 1:23:40 | 1:23:44 | |
issues there. We have a good sense
of where the next group of | 1:23:44 | 1:23:50 | |
organisations are going to. We know
that some organisations, but she is | 1:23:50 | 1:23:54 | |
a good example, which is a huge
organisation, they have a lot to do | 1:23:54 | 1:24:00 | |
to address all of their cyber
resilience issues and we are working | 1:24:00 | 1:24:04 | |
hard with them in terms of working
through their vulnerabilities, | 1:24:04 | 1:24:07 | |
providing them with funding and
support. I think we broadly know | 1:24:07 | 1:24:12 | |
those organisations which are most
worried about and we have a plan for | 1:24:12 | 1:24:16 | |
them. Do you have a number in your
head of the trusts that have a lot | 1:24:16 | 1:24:22 | |
more work to do? I would not like to
give a number out. I am happy to | 1:24:22 | 1:24:27 | |
come back with a number. I
appreciate it might be sensitive | 1:24:27 | 1:24:36 | |
information, but what I am trying to
get that is within the parameters | 1:24:36 | 1:24:39 | |
you have set out, always it is the
worst that have the most work to do | 1:24:39 | 1:24:46 | |
and I want to know if you are on top
of those that have a lot more work | 1:24:46 | 1:24:50 | |
to do? We have a list and we have
regular calls in an age with the | 1:24:50 | 1:24:58 | |
improvement staff where we go
through those organisations that we | 1:24:58 | 1:25:00 | |
think our furthest away from having
all of the technical controls in | 1:25:00 | 1:25:06 | |
place that are required. In one
sense, and this may come out a | 1:25:06 | 1:25:13 | |
slightly odd, I am almost less
worried about those organisations | 1:25:13 | 1:25:16 | |
because they are the organisations
that know themselves they have a | 1:25:16 | 1:25:20 | |
distant to go. I think the worry and
the cultural leadership challenge is | 1:25:20 | 1:25:25 | |
for those organisations that were
not affected during the WannaCry | 1:25:25 | 1:25:30 | |
crisis that may think that reflects
the good work the organisation that | 1:25:30 | 1:25:36 | |
has done, those are the
organisations we need to be | 1:25:36 | 1:25:39 | |
targeting to make sure that they are
really on top of it in the | 1:25:39 | 1:25:42 | |
infrastructure? Is this CQC
inspection the only way you will get | 1:25:42 | 1:25:48 | |
an in-depth knowledge of where each
trust is or are there other | 1:25:48 | 1:25:52 | |
mechanisms that you can use to
enquire into their preparedness? We | 1:25:52 | 1:25:57 | |
do a full inspection on site,
penetration testing, looking across | 1:25:57 | 1:26:00 | |
the full estate so when they respond
the information gets past two CQC. | 1:26:00 | 1:26:10 | |
Before it was just between ourselves
and the local organisations but as a | 1:26:10 | 1:26:14 | |
result of WannaCry that information
is being shared so CQC can use that | 1:26:14 | 1:26:18 | |
as part of the unannounced
inspections if they choose to do so, | 1:26:18 | 1:26:23 | |
but through his area we can see the
ones that are at the lower end as | 1:26:23 | 1:26:28 | |
well as the ones at the top end.
Clearly at high-level there are a | 1:26:28 | 1:26:35 | |
lot of government organisations and
key government organisations that | 1:26:35 | 1:26:39 | |
are looking at the whole area of
cyber security. Are you satisfied | 1:26:39 | 1:26:44 | |
that your contacts with all those
government agencies are sufficient | 1:26:44 | 1:26:47 | |
to enable your department because
this is an ongoing science? You can | 1:26:47 | 1:26:53 | |
never rest from it. There are new
methods of penetrating IT systems | 1:26:53 | 1:26:58 | |
coming along all the time. Are you
really sure all government agencies | 1:26:58 | 1:27:03 | |
are coordinating as they should? I
can never promise they are | 1:27:03 | 1:27:07 | |
coordinating perfectly. NHS Digital
have very close working | 1:27:07 | 1:27:17 | |
relationships with us and during the
cyber attacks and we work closely | 1:27:17 | 1:27:22 | |
with them afterwards as well. That
is a new piece of the landscape and | 1:27:22 | 1:27:28 | |
it makes it considerably simpler for
us that there is a single centre for | 1:27:28 | 1:27:38 | |
all government needs on these issues
and which we can work with. There is | 1:27:38 | 1:27:44 | |
only ourselves and the MoD along
with the National Cyber Security | 1:27:44 | 1:27:49 | |
Centre, so other departments rely on
information being fed out. Because | 1:27:49 | 1:27:55 | |
we are monitoring the National
spine, the mail system, etc, we | 1:27:55 | 1:28:03 | |
share information with the National
Cyber Security Centre so there are | 1:28:03 | 1:28:06 | |
alerts that come out from them that
originate from what we have seen on | 1:28:06 | 1:28:12 | |
our networks. That partnership has
grown quite significantly in the | 1:28:12 | 1:28:15 | |
last 12 months or so. Can I go back
to your point on the EPRR? What time | 1:28:15 | 1:28:28 | |
did you know that this attack was
taking place? It was about one | 1:28:28 | 1:28:32 | |
o'clock on the Friday that there
were the first reports. A national | 1:28:32 | 1:28:38 | |
incident was called at four o'clock.
Is that right? If that is the | 1:28:38 | 1:28:44 | |
timescale that sounds like a
reasonable timescale to be making a | 1:28:44 | 1:28:48 | |
decision on a very important
national issue? As I say, the NHS is | 1:28:48 | 1:28:55 | |
very good at emergencies and it does
kick in very quickly. We had a | 1:28:55 | 1:29:01 | |
conversation with the National Cyber
Security Centre straightaway when | 1:29:01 | 1:29:04 | |
the first reports came in, which was
also helpful to that | 1:29:04 | 1:29:10 | |
decision-making. But the
decision-making by NHS England was | 1:29:10 | 1:29:15 | |
very swift indeed. The first trusts
were reporting to NHS Digital by | 1:29:15 | 1:29:22 | |
lunchtime one o'clock and by four
o'clock it had become a larger group | 1:29:22 | 1:29:27 | |
of trusts so we declared a major
incident. At five to five NHS | 1:29:27 | 1:29:35 | |
Digital released to the NHS
bulletin. At five o'clock we braved | 1:29:35 | 1:29:42 | |
the Secretary of State and by 6:45pm
we had initiated the EPRR plans for | 1:29:42 | 1:29:49 | |
coordinating across the whole of the
NHS. Thank you for that helpful | 1:29:49 | 1:29:54 | |
answer. Can I challenge one of your
earlier answers in which you said it | 1:29:54 | 1:29:58 | |
worked well. In communications there
seems to have been a bit of tension | 1:29:58 | 1:30:05 | |
between what you should have been
communicating and in some respects | 1:30:05 | 1:30:09 | |
people wanted more information to
know what was happening in their | 1:30:09 | 1:30:13 | |
NHS. In another respect some of the
trusts were wanting to keep it quiet | 1:30:13 | 1:30:17 | |
because they did not want their
particular weaknesses to be exposed | 1:30:17 | 1:30:22 | |
I presume. Have you undertaken a
lessons learned as it were for the | 1:30:22 | 1:30:30 | |
whole EPRR process? Have you in
particular looked at how you would | 1:30:30 | 1:30:36 | |
communicate these types of incident
in the future? Yes, we review the | 1:30:36 | 1:30:41 | |
process all the time and every time
there is an incident that uses the | 1:30:41 | 1:30:48 | |
machinery there are lessons learned.
We updated in the light of | 1:30:48 | 1:30:53 | |
experience. Just to clarify, what I
mean is the EPRR system worked as it | 1:30:53 | 1:31:01 | |
was designed to work. In that sense
that is what we all want. That is | 1:31:01 | 1:31:08 | |
not to say that it was perfect for
these incidents. We have to involve | 1:31:08 | 1:31:14 | |
the system in the future. That is to
be clear about what my previous | 1:31:14 | 1:31:18 | |
answer meant, it worked as it was
supposed to work, which is a good | 1:31:18 | 1:31:22 | |
starting place, that is not to say
it was completely perfect for this | 1:31:22 | 1:31:26 | |
incident. I was going to add was
that the evolution of it over the 72 | 1:31:26 | 1:31:36 | |
hours from Friday night through to
Monday morning was such that the | 1:31:36 | 1:31:40 | |
first 24 hours or so were about
establishing what was happening | 1:31:40 | 1:31:47 | |
technically since the principal
arrangements that had to be put in | 1:31:47 | 1:31:50 | |
place were linked to major trauma
and emergency care system there was | 1:31:50 | 1:31:57 | |
a public, behavioural response
needed on the Saturday. Parallel | 1:31:57 | 1:31:59 | |
with that the government responded
with Cobra arrangements and a | 1:31:59 | 1:32:06 | |
perfectly understandably decided to
communicate as a security related | 1:32:06 | 1:32:10 | |
incident, and the initial evidence
was that is what it was. By the time | 1:32:10 | 1:32:17 | |
we got to Sunday we needed to give
public advice about whether or not | 1:32:17 | 1:32:21 | |
to go to your GP appointment or
hospital outpatients on the Monday | 1:32:21 | 1:32:25 | |
and at that point the NHS
communications publicly kicked in as | 1:32:25 | 1:32:28 | |
they normally would. So are you
satisfied that the communications | 1:32:28 | 1:32:34 | |
were a seamless as they should have
been? We talked about the mechanisms | 1:32:34 | 1:32:40 | |
with individual trusts and GPs, and
we accept the early points, but in | 1:32:40 | 1:32:47 | |
terms of the public communication in
terms of what the public were being | 1:32:47 | 1:32:51 | |
asked to do, yes, by the time we got
to Sunday people were getting the | 1:32:51 | 1:32:55 | |
right advice for Monday. Can I just
ask you one of the technical issues | 1:32:55 | 1:33:08 | |
I am advised on about the particular
WannaCry by Iris was the ability to | 1:33:08 | 1:33:15 | |
be able to communicate with each
organisation's server. -- virus. If | 1:33:15 | 1:33:23 | |
you turn to the report on page 20 it
says it limited central information | 1:33:23 | 1:33:31 | |
on trusts, IT and digital assets
such as IP addresses. It then goes | 1:33:31 | 1:33:35 | |
on to say at the start of its
investigation the National Crime | 1:33:35 | 1:33:40 | |
Agency had to gather evidence from
all sides including information that | 1:33:40 | 1:33:45 | |
affected IP addresses and network
traffic. If the kill switch had not | 1:33:45 | 1:33:51 | |
worked, this sort of Cora, central
information should have been | 1:33:51 | 1:33:57 | |
something that was pretty readily
available to either NHS England or | 1:33:57 | 1:34:00 | |
the Department. I am wondering if
you have rectified that. At the | 1:34:00 | 1:34:08 | |
moment we do not collect that
information nationally and that is | 1:34:08 | 1:34:15 | |
part of the recommendation 15. We
need to understand what IP addresses | 1:34:15 | 1:34:19 | |
local organisations work with and
that type of thing. Before we had | 1:34:19 | 1:34:25 | |
WannaCry, going back eight months,
it was a simple question of who do | 1:34:25 | 1:34:29 | |
you write to in the NHS? When EPRR
starts to kick in in terms of tried | 1:34:29 | 1:34:37 | |
and tested mechanisms we did not
have a list of all the security | 1:34:37 | 1:34:41 | |
leads, all of the staff we needed to
put this out across health and | 1:34:41 | 1:34:46 | |
social care. We have collected that
information and we are continuing to | 1:34:46 | 1:34:50 | |
a ball the way we do communicate. If
we were able to get what is deployed | 1:34:50 | 1:34:57 | |
locally, then we could say we now
know where that vulnerability lies | 1:34:57 | 1:35:00 | |
and we give certain information to
certain areas. We covered | 1:35:00 | 1:35:06 | |
previously, but it was a well-made
point in the report. | 1:35:06 | 1:35:16 | |
I was going to come onto timescales.
Perhaps Sir Chris or Simon Stevens | 1:35:16 | 1:35:22 | |
could answer, when would you expect
to be in a position to tell us when | 1:35:22 | 1:35:29 | |
all the 22 recommendations in Mr
Smart's report are going to be | 1:35:29 | 1:35:35 | |
implemented and under what
timescale? The purpose of that | 1:35:35 | 1:35:38 | |
question is to work out when this
committee might revisit the subject. | 1:35:38 | 1:35:43 | |
We will say six months. Six months
in terms of having a firm plan. | 1:35:43 | 1:35:50 | |
Recommendation one talks about cyber
essentials being in place around the | 1:35:50 | 1:35:55 | |
NHS by June 20 21. That would be the
long stock in terms of when the plan | 1:35:55 | 1:36:00 | |
as a whole would finish but
certainly we can give you a plan... | 1:36:00 | 1:36:04 | |
I think what I would like to ask is
if you would give the National Audit | 1:36:04 | 1:36:10 | |
Office a six-month update about
where you are with the report, then | 1:36:10 | 1:36:15 | |
we will know when we ought to
revisit this subject? I think that | 1:36:15 | 1:36:21 | |
would be completely appropriate. The
point we have made throughout this | 1:36:21 | 1:36:26 | |
hearing, although we will put in
dates on the actions, and it is very | 1:36:26 | 1:36:33 | |
important to monitor them, this is
of course a job which is never done. | 1:36:33 | 1:36:37 | |
It is not as if we are going to
reach 2021 and declare victory on | 1:36:37 | 1:36:43 | |
cyber security, and nor will things
that Will be published be the last | 1:36:43 | 1:36:48 | |
word on what the Government needs to
do, and I think a six-month report | 1:36:48 | 1:36:56 | |
to the National Audit Office would
be entirely appropriate. Sir Chris, | 1:36:56 | 1:37:02 | |
I cannot find it in the time
available, or one of Mr Smart's key | 1:37:02 | 1:37:06 | |
recommendations on people, and this
is very much involving -- an | 1:37:06 | 1:37:14 | |
evolving science, so you will need
good young trained people. Are you | 1:37:14 | 1:37:19 | |
satisfied that your national cyber
centre, the NHS cyber centre is | 1:37:19 | 1:37:26 | |
producing people with the right
skills that you require to deal with | 1:37:26 | 1:37:30 | |
this whole problem? It is difficult
for me to comment on what the | 1:37:30 | 1:37:37 | |
National Cyber Security Centre is
doing. In NHS digital you are | 1:37:37 | 1:37:41 | |
building your capacity that entire
time. We are. Simon mentioned at the | 1:37:41 | 1:37:46 | |
start, my staff came in on Friday
morning and went home on Monday, | 1:37:46 | 1:37:52 | |
unfortunately the same clothes,
pants, socks etc, so it was not a | 1:37:52 | 1:37:56 | |
good place to be on that weekend,
but where it has ended up is we have | 1:37:56 | 1:38:02 | |
around 18 to 20 deeply skilled
people. We are doing a graduate | 1:38:02 | 1:38:07 | |
scheme so we are working with
universities to try and grow our own | 1:38:07 | 1:38:12 | |
but the realism is this is a
sought-after skill. There are lots | 1:38:12 | 1:38:19 | |
of organisations in the private
sector which can employ people and | 1:38:19 | 1:38:21 | |
there are three jobs for every
skilled cyber expert. We rely on the | 1:38:21 | 1:38:25 | |
fact that people are committed in
terms of the way they want to give | 1:38:25 | 1:38:29 | |
something back to the public sector.
We have grown a team who have | 1:38:29 | 1:38:33 | |
realised what a difference they have
made in terms of the impact on | 1:38:33 | 1:38:38 | |
patients and care. We are trying to
give them training programmes, we | 1:38:38 | 1:38:41 | |
are trying to make it so that they
have a career ladder and they can | 1:38:41 | 1:38:44 | |
work through. But we will have to
continually, across our | 1:38:44 | 1:38:49 | |
organisations, not just in mind that
the local organisations etc, we have | 1:38:49 | 1:38:53 | |
to be able to attract and retain top
talent on this. Where we cannot get | 1:38:53 | 1:38:58 | |
it in terms of permanent staff, one
of the things we have done in terms | 1:38:58 | 1:39:03 | |
of WannaCry is we have worked with
Crown services and the National | 1:39:03 | 1:39:06 | |
Cyber Security Centre, to save you
have not got the staff at the | 1:39:06 | 1:39:10 | |
capability, how can you draw on
suppliers? When you are in the heat | 1:39:10 | 1:39:15 | |
of an incident like this, if you
bring the wrong supplier in you can | 1:39:15 | 1:39:20 | |
do more harm than good. That is
something we have put on our website | 1:39:20 | 1:39:24 | |
to support at local organisations.
Nationally this is an area where the | 1:39:24 | 1:39:29 | |
country is short. When I was at the
Department for Education, it is one | 1:39:29 | 1:39:35 | |
of the reasons why we added coding
because we do need to grow more | 1:39:35 | 1:39:38 | |
people nationally and the NHS
competes in the market for those | 1:39:38 | 1:39:44 | |
valuable people with everybody else.
Can I thank you. Just an | 1:39:44 | 1:39:54 | |
opportunistic comment, which is not
directly related, it is not a cyber | 1:39:54 | 1:39:58 | |
attack but it was a Twitter attack
on the NHS today, President Trump | 1:39:58 | 1:40:02 | |
has been tweeting about the National
Health Service today. Unfortunately, | 1:40:02 | 1:40:06 | |
I think we suggested that we got the
wrong end of the stick, and in fact | 1:40:06 | 1:40:12 | |
people in this country do not want
to ditch our NHS, notwithstanding | 1:40:12 | 1:40:16 | |
everything we have been talking
about today, they want to keep it | 1:40:16 | 1:40:19 | |
and strengthen it. So an invitation,
if the president were to be visiting | 1:40:19 | 1:40:26 | |
later this year, would be to visit
doctors, hospitals, scientists, to | 1:40:26 | 1:40:33 | |
hear about cataract services, hip
replacements, modern scanners, the | 1:40:33 | 1:40:37 | |
world first liver, heart and lung
transplant, the genomics revolution | 1:40:37 | 1:40:41 | |
all underway and go away that
understanding the health care for | 1:40:41 | 1:40:47 | |
everybody, delivered at half the
cost of the US health care system, | 1:40:47 | 1:40:51 | |
is something that people in this
country are deeply and rightly | 1:40:51 | 1:40:54 | |
committed to. I am very grateful to
that, Mr Stevens. I think we often | 1:40:54 | 1:41:00 | |
underestimate our excellent health
service and I think you and others | 1:41:00 | 1:41:02 | |
get their fair share of criticism
but you do work very hard and I am | 1:41:02 | 1:41:06 | |
very grateful to all our witnesses
for coming this afternoon, said | 1:41:06 | 1:41:10 | |
Chris and your team, Simon Stevens
and your team, and thank you for all | 1:41:10 | 1:41:14 | |
the work you did during the WannaCry
attack. It must have been a worrying | 1:41:14 | 1:41:18 | |
time for a few days. Thank you very
much for that and for answering our | 1:41:18 | 1:41:23 | |
questions this afternoon. Thank you. | 1:41:23 | 1:41:27 |