Public Accounts Committee Select Committees

You are considering the report on

the cyber attack on the NHS. The

developments of information

technology including cyber are

increasingly important in the way

the NHS functions and the country in

general. Developments present

challenges, risks as well as

benefits and opportunities. This was

demonstrated by the cyber attack

last May which caused disruption

around the world including to our

own NHS. The attack affected one

third of trusts and caused 19,000

hospital appointments to be

cancelled. And affected 603 primary

care organisations and 595 GP

practices. The newly named

Department of Health and social care

and the NHS were aware of the threat

of a cyber attack, yet were unable

to prevent the widespread disruption

caused. The NHS was able to manage

the attack using existing emergency

response arrangements and

requirements but we were fortunate

the attack was not more damaging. We

want to get answers from NHS

England, NHS digital and NHS

improvement on what they learned

from the attack and what actions

they will take to make sure they can

better prevent and recover from any

future cyber attack. Late last week

NHS England and NHS improvement

published its lessons learned review

on the attack. It may have been a

coincidence the publication was

ahead of today's hearing, maybe not.

It builds on the reporting with its

22 recommendations. From it, we need

to understand more about this

document and its context,

specifically how priorities are

being set and where the resources

are coming from and the timing of

his dimensions. It is unclear how

the numerous recommendations and

implementation will work from the

report. We are pleased to welcome

our illustrious team of witnesses.

Robshaw, deputy chief executive of

NHS Digital. The permanent Secretary

of the Department of Health. You are

a frequent flyer entry to this

committee. Almost as frequent but

not quite, we have next to him Simon

Stephens, chief executive of NHS

England. Then, the chief information

officer of NHS England and

Improvement. And Jim Mackay, former

chief executive of NHS Improvement.

Welcome, gentlemen. I should perhaps

start with eight general question to

Sir Chris. -- as general question.

Can you ensure that no person was

found and no future risk to the NHS

information? -- no person was

harmed?

Both in the report. I know

one paid the ransom and we do not

have any direct cases of patient

harm resulting from this attack that

as you said was considerably

disruptive, affecting patients. Can

we guarantee future security? No, we

can't. Just like every other

organisation cyber attacks and

cybercrime are facts of life. If you

believe you are completely safe from

cybercrime, that would be a

extremely bad sign indeed. I cannot

get you that reassurance. While I

have before, I will pick up your

point that it is not a coincidence

we published our response in advance

of this hearing because this was

work already in train. We had

commissioned this after WannaCry and

of course we wanted to be able to be

frank with the committee about what

we were actually doing in this

point. We wanted to set that up

rather than sitting yet knowing

there was more to come. It is

nothing to do with this hearing that

the report excess, but we wanted

this committee to be informed.

We will don't ever more technical

witnesses and ask how we can be sure

that there is no threat to the NHS

future, that there information from

this TO attack. How can you be sure

the virus has been eliminated from

NHS systems?

I don't think we can

guarantee the thread has gone away.

The threat continues. Over the

course of the week of the major

incident, local organisations put in

a huge amount of work, local staff

up and down the country patched

systems of put in place, change the

firewalls to improve the resilience

of the organisation. A few weeks

after WannaCry, there was another

attack using the same set of

vulnerabilities. That attack impact

is a large number of multinational

organisations, some of whom had

their whole IT infrastructure wiped

out and had to be built from the

ground up again. I think the fact

that in that case, using the same

vulnerabilities that the NHS wasn't

impacted give some comfort, but it

is important that local

organisations, national bodies, that

we are continually vigilant for the

threats and take appropriate action

when necessary.

As well as that, we

have also had another exact

replication of WannaCry with the

virus called Bad Rabbit. We have had

two attacks using the same exploits

as WannaCry and there was no health

organisations impacted by that as a

result of the remediation taken as

part of the mitigation of the

WannaCry attack.

The department and

the Cabinet Office wrote to the

trust in 2014 saying it was

essential they had robust plans in

place to mitigate from old software

such as Windows XP. So you have to

thought about this a long time ago

but it seems that that information

somehow hadn't really transferred

through into action by individual

trusts by the time of this WannaCry

attack on the 12th of June 2000 and

17.

It was a mixed picture. As you

say, some action was taken in 2014

and there was a very big turning

point in 2015, the National Guardian

's report and the CKC report. A big

programme of work was put in place

around cybercrime nationally for

pretty much the first time in the

NHS. Between that date and the

actual WannaCry attack, a lot of

progress had been made. So if you

look at XP, which are raised in

2015, I think that was about 18% of

NHS systems, it was down to 4.7% at

the time of the WannaCry present and

is now down to 1.8%. However, a lot

of work had been done, it was at the

time of the attack work in progress,

so we have started a programme but

had not finished it. We were in a

better position to deal with this

attack at the point that it happened

but by no means perfect and we'll

come onto some of the lessons

learned. We do have a lot to learn

from the attack about how we deal

with these things in future. But we

were better prepared than we had

been two years previously.

If you

read the summary of the report, it

says, prior to the attack, NHS

digital conducted is an on-site

security assessment for 88 of the

trust and on his past. There must

have been on alert warning lingering

on your department.

I was going to

comment on this but the point of

those assessments is to identify

weaknesses so they can be improved.

It is quite a high bar and every

trust has things it can improve

around, even the ones that do it

well. That is the point of the

on-site assessment. Of course we

want to get to a position where we

no longer are finding things in

trusts that need improving but we

are not there yet.

But with great

respect, that's quite a glossy

answer. None of the trusts had

passed this assessment, none of

them. If the majority had I think

your currency would have held water

but none of them had. Surely this

must have been something high up on

your interests.

This had been

identified as a big risk and as I

say, a loss of action was in place

partly for the reason that you say.

As I say, we had not finished the

programme. They were still

continuing vulnerabilities and

WannaCry, our assessment of WannaCry

and what happened in the incident

demonstrated to us that we needed to

go much further. Your basic point I

agree with you, that's clearly there

were challenges in the system, some

of them known about, which we had

existing programmes to deal with,

some of them we learned from the

WannaCry at and we need to take

further action on.

We have now

completed 200 on-site assessments,

we had done a date before WannaCry.

All trusts still failed and there

are reasons for that. This isn't a

case that all trusts have done

nothing around cyber security. The

amount of effort it takes in the NHS

to reach the standard we assess

against is quite a high bar, so some

of them failed purely on patching,

which is what the vulnerability was

around WannaCry. We work now with

organisations, I always think it is

better to have information about

where your vulnerabilities are three

can do something about it rather

than hope will be OK when you do get

an attack. The vulnerability reports

go back to the trusts only trust

board is to able to work out how

they can then do mitigation. Some

need to do quite a considerable

amount of work but a number of ready

on the journey that will take them

towards that requirement. One of the

things we may want to consider that

it's something that now we have the

additional funding available, is

whether we should go back and we

inspect those where there is the

highest risk in order to provide

ourselves with the assurance they

are going in the right direction.

I

made a mistake, it was the 12th of

May, not the 12th of June, the

attack. We are eight months on from

that attack and the paragraph, it

goes on to say that NHS digital

cannot mandate a local body to take

remedial action even if it has

concerns of the vulnerability of an

organisation. Do you think that your

department has sufficient powers to

be able to shake up these trusts and

be able to take the necessary

action?

Yes, we do. They don't fall

to NHS Digital, they are mainly in

the reinforcement powers of CQC.

Some of the things we had set out

before WannaCry attack but are now

in place by the data and security

standards set in the standard

contract for the NHS trusts and part

of their contracts for doing

business. This has gone into the CQC

inspection, so CQC will inspect

against it, and the support

mechanism would be the same as we

use for any other problems we have

in the trusts. It would be for CQC

to report and the would-be NHSI to

take further action if need be. It

goes into the general system. Which

is not to say that there were things

that we needed to learn from

WannaCry that we didn't.

We are

coming on to that.

It is worth

adding that as part of the well led

inspections, CQC are also doing

unannounced inspections where there

is a concern around cyber security.

For a three-month period up to the

end of March, we are doing a small

number of CQC inspections. We will

do unannounced inspections only

trust and will then do a lessons

learned in terms of, is that the

right thing to do? Not at burden

onto an existing framework to get

the value out of inspections.

Each

answer is provoking more questions

but I want to bring my colleagues

in. I want to ask a question about

the very serious evidence, I don't

know whether you have had a chance

to see, from a former director of

the Health and Safety Executive. He

recently did a cyber security review

for the MoD so presumably he is

quite well qualified in these

matters. He makes the point that as

the WannaCry attack was able to

encrypt NHS information, if it was

able to encrypt NHS information it

was presumably able to alter NHS

information and that could have felt

really serious implications such as

changing blood groups and that sort

of thing. Do you think that our

systems are no suspicion the robust

to be able to...? Is that evidence

true and if it is, would we be in a

position to refute further attack

was able to do this?

I'm afraid I

don't have the evidence I can't

comment on that. It's may well be

true that data could be changed. It

is important to say that every NHS

organisation thoroughly backs up

this data so true copies are

available, will be held off-site,

and after WannaCry, any systems

would have been restored from

back-ups because effectively the

date doubles loss. So while there

are technical risks, in this

instance the data was restored from

copies which have been secured.

At a

minimum, the CQC random inspections

should make sure that all

organisations are properly backing

up their information.

Thank you.

Obviously we were quite lucky that

it was a relatively unsophisticated

attack, but perhaps I could ask,

given that we had reports in July

2016 from the National data Guardian

and the Care Quality Commission

regarding cyber security and

recently as Mark and April before

the attack, the NHS digital, how

come we were so unprepared for it?

I

refer you to my answer earlier. I

don't think we were completely

prepared and we had lots to learn

from the WannaCry attack, but nor

are we completely unprepared.

Between the reports that you

mentioned and the date of the

WannaCry attack, a lot had happened

to implement those reports. As both

the reports have picked up, there is

a lot more that can be done, but we

had actually implemented the vast

majority of what the National data

Guardian and CQC were recommending.

We had not finished implementing it

but I'm not sure I can add very

much.

This is the first time we knew

there was a vulnerability in the

Microsoft operating system, but it

had never been exploited. We had put

Biden said as patching had taken

place in over two thirds of the

trusts, they were all secure her his

a fire was to protect against

vulnerabilities, we will never ever

mitigates against all cyber attack.

We have to be honest about that.

Anyone that says the mitigates

against cyber attacks, it would

worry me that they are looking after

their IT. We have to put protection

at the front end, patched the trust

we were able to, as quiet happened,

but I cannot understate the

complexity of the NHS estate on the

complexity of trying to patch

different parts of it because you

can't patch one part that will have

an impact on something else. The

main drive has to be on patient care

and make sure we don't impact any of

those systems. We have to look at

protection but also our ability to

immediate. We have to accept that

things will get through to cause a

cyber attacks, but how we then

respond to those becomes crucial.

I

understand what you're saying

regarding the complexities of

patching and clearly is not just the

image is itself but also some of

these suppliers. How can you better

get them to update their products

quickly? Because clearly their

machines can be attacked as well as

the computer software.

Could you address the Windows XP

point and the equipment?

This was

not a tax on Windows XP. Legacy is

the challenge of any organisation

and the NHS is not unique in having

legacy software prices across the

estate. 95% of devices in the NHS at

the time of WannaCry were running

Windows seven which is capable of

being patched. Legacy is important,

but it is not the only issue. The

reason that patching does not

happen, and to 18 months ago I was

CEO in a hospital and we had a wide

range of services, both

administrative and clinical and

clearly updating software in

clinical areas it is important to

make sure there are no unexpected

consequences to the software or

systems that are running. There is a

challenge of trying to balance the

technical risk of knowing there is a

technical upgrade that we need to do

against the clinical risks of

patients as a result of potentially

introducing something that may have

an effect on a system or a device

that is running. Continually

rebalanced that. Within the royal

free where I came from we had over

10,000 PCs and devices in the

organisation, said these are

large-scale organisations and it is

not a trivial case of saying we can

update all of these overnight. There

is complexity in that area. To the

point about medical devices,

absolutely we face challenges and

during the WannaCry tat we had

diagnostic devices embedded that had

not been patched. There are two

things to say. One is we absolutely

need to work more closely with

software and device providers to

make sure they are in a position

that when patches come up that they

are able to update their equipment,

which is very sensitive medical

equipment. We are talking about MRI

scanners for example who are

sensitive to changes. I would also

say from an IT management

perspective that there are ways of

designing the infrastructure within

an organisation to protect yourself,

so in some organisations networks

were effectively completely

connected to everything else as

opposed to separating some equipment

of the network. There are ways of

designing an environment to mitigate

some of those risks. But it is a

hugely complex area and I think we

saw with WannaCry some of the

challenges of managing these issues

in these kinds of organisations.

In

terms of windows XP it is a good

point. The operating system,

especially written software, it

could take years for that to be

upgraded. We put some guidance out

for how we segregate those because

the key thing is taking it off the

network and making sure it is

isolated to if it is on something

that has the potential to impact on

other systems. We put guidance out

how local organisations can help

mitigate that. In the

recommendations there are a number

of things we could check and make

sure medical devices are properly

segregated. Your point on the

suppliers is a good one. On the

actual weekend we were inundated

with suppliers saying, let us know

what you want in terms of support

and we will put boots on the ground

and there was no question of money

or anything like that. A number of

the suppliers help out in terms of

the remediation in some of the

organisations. We worked with the

National Cyber Security Centre

because once the attack became an

issue, antivirus providers had to

quickly up their systems to prevent

future attacks, which they did and

they completed by the end of the

weekend. Then you have got big

systems integrators like EPI systems

for major trusts. They cannot just a

patch in isolation in one system.

They do a patch across their entire

estate and some of those will take

time. It is incumbent on us to make

sure that if it is a high threat, we

proactively make sure that we do not

wait until they are patched, we make

sure they are carrying out the

patching and we know where our

vulnerabilities lie.

Is there not a

simple procurement point here? I am

wondering if you are going to change

your procurement processes so that

all new equipment that is procured

by your department should be

procured on the basis that software

will be supported throughout the

life of that equipment?

I will bring

in will the moment. What we found on

the back of the work done straight

after the WannaCry attack was that

even newly installed equipment

systems often had, for example, XP

is the embedded operating system and

that emphasises the point that has

been made that gaining the firewall

right and system integrity is as

important as the component where and

over which we might not have direct

control.

If you adopted what I was

saying, no manufacturer would be

supplying equipment with XP on it

because they would not be able to

support it?

I was going to set the

point of clarification although it

may be a point of additional

confusion. Where XP is running

embedded software, some of that is

under support. The challenge back to

the Windows seven challenge is not

about support, it is about the

challenges of upgrading that

software safely and securely to

protect patients from unintended

harm as a result of the upgrade. For

many of those devices they are under

support and they are continually

supported by the vendor.

We can

probably do more between our arms

length bodies to support local

organisations in procuring systems

to make sure they get standard

contract clauses to ensure they keep

things within the existing

up-to-date patch etc. That is

something we can help with as part

of the implementation of the report.

There is a wider point prompted by

your question. Cyber security is a

whole culture that you would need to

build into every decision you take

as opposed to we bought a system,

now how do we procure some cyber

security to go with it? When we look

at the trusts that were less

affected as opposed to more

effective, it seemed to be the ones

that had the sort of wider

governance, the wider board

interest, the ones that have built

cyber security into everything they

do. You will have heard a lot about

getting the basics right. Had you

done your patching, had you done

your backing up, had you

isolated...? These are things which

are hugely complicated things to

think of. They can be complicated

things to do, but there is an awful

lot of this which is not about what

the IT you need, but it is about the

wider leadership and that is for all

organisations up to national level.

One of the other things we should

bring out here is you should not

always go to contract when you have

a problem. When we are putting in

systems that we oversee we do secure

by design which means prior to

anything going live we have got

service acceptance criteria that

says from a business and technical

perspective, have they met the

requirement that the business need?

If we can get back right, it makes

it easier in terms of some of the

remediation because you know where

your gaps are.

Thank you.

How

certain are you that no harm was

caused to any of the NHS England's

patience as a result of the attack?

No harm has been identified. We have

a process for identifying incidents

where our trusts report where those

have arisen and as reported in the

report that is the position that we

are aware of. That is also true in

Scotland and although we are

principally concerned with England

today, as I understand it 11 out of

14 Scottish health boards and the

Scottish Ambulance Service were also

affected.

How long did it take for

NHS England to reschedule all the

cancelled and postponed

appointments?

NHS England itself

does not do it, but that would have

been within days of the original

referrals. By way of context, one

patient treatment deferred is one

too many, but the NHS does look

after 1 million people a day and the

estimate is that that was 19,500 of

those million appointments that may

have been affected in terms of

outpatient appointments. It is

obviously regrettable, but a small

proportion.

Can you quantify the

cost to the NHS from the cyber

attack and the postponement of the

appointments and all the overtime

that had to be worked as a result?

As the report says, we have not got

a national estimate of that and I am

not sure whether one has been

compiled in Scotland either. But in

effect a lot of people voluntarily

went the extra mile to sort out the

situation, not only for those of us

who are involved and set the weekend

and the following week, and I want

to pay tribute to front-line IT

staff, GP staff across hospital

systems and international bodies who

really did go that extra mile,

obviously that is an inconvenience,

but people put patients first.

When

you say voluntarily, did some people

work unpaid overtime to help with

the problem?

For example, will spend

the weekend Darren Berkshire helping

them and many people did a lot to

help out. It was remarkable that

over the course of the weekend by

the Sunday night an enormous

programme had been put in place to

sort out GP surgeries. Obviously

coming online on Monday morning, I

was at the GP surgery on Monday

morning at half past seven to look

directly at the issues were

affecting patient care and there was

mass mobilisation across the whole

NHS that weekend.

Your focus is on

the health care rather than the cost

aspect. But do you have any idea of

how much overtime was accumulated

during that period? It would give an

approximate estimate.

We do not and

the report does not say there is a

national measurement of that.

Simon

said generally people did what they

needed to do just as extra. There

would have been some overtime but at

a national level you would not have

seen any difference during a normal

accounting period.

How long is a

piece of string question, but how

much worse could this attack have

been if it had not been during the

quieter period of summer and if we

had not had an IT expert that found

the kill switch so quickly?

I would

not want to hazard a guess. We can

be certain that it would have been

worse. After the kill switch was

found we were able to monitor local

organisations, effectively culling

the kill switch. The virus was on

the device and it looked for the

kill switch. 21 organisations culled

the kill switch in that period. So

in the worst-case 21 organisations

may been impacted. Actually that

Karl was to check that there was a

network connection to the switch. It

would have been worse we think, but

I would be loath to put a figure on

it.

Can I return to the issue of

cost. You have got quite precise

numbers about the number of patients

affected and likely follow up

appointments that would have been

cancelled, although it is harder for

you to be more precise about some

other aspects of the impact. Why has

no assessment be made as to the

overall cost? That figure would be

helpful in understanding the impact

this has had on the NHS.

It is

important to say we had a

conversation with the fieldworkers.

This data collection was to

understand what the impact was and

where the impact occurred so that we

could manage it effectively to make

sure resurfaces were directed to

those pies of the NHS that require

support. We did not set out to try

and numerate all of the impact, all

of the costs, because we were

focused on resolving the incident.

And then we did have a conversation

with colleagues after the incident

while the report was being developed

as to whether we should do a

separate data collection and we had

a relatively robust discussion about

it and the view that I gave was I

did not believe that would help us

understand what happened any better

than we knew during the incident and

I was not convinced it would change

those things that we would do in the

future to prevent an attack. That is

why we do not have an answer to

those questions.

You rightly point

out to patients the impact the

impact it would have on the NHS, the

financial impact when a patient

fails to attend an appointment.

Would it not be possible to have

something similar here so we can get

an impact on cyber security?

The

underlying point is that everyone

can see that lots of things need to

change and in the sense that

argument has already been won. The

fact that we are now explicitly

changing the way in which our

individual organisations get

support, targeted investment outside

the security, and that case has been

understood.

You do not think it

would be helpful for organisation to

understand there would be a cost for

this?

I think organisations would

sigh a bit if we sent out a new set

of forms for people to complete

estimating what the marginal costs

of an event last May would be. I do

not think practically speaking it

would affect the action that now

needs to be, and is being, taken.

But you are telling patients how

much it costs when they miss an

appointment. Is that a waste of

time?

That in itself would be very costly.

Bit you frequently get reminders

saying if you fail to attend an

appointment this will cost the NHS

£120. There are those figures as to

around. That is an important driver

in patient behaviour. Is it not

helpful for organisations to

understand that failing to act in

making sure their cyber security

responsibilities are being

discharged comes with a financial

cost as well ) yes, but I don't

think that is the principal

argument.

I think the principal

argument is about patient safety and

the continuity of care that we can

offer. WannaCry was the first act of

its kind on health and care system.

We were not the only organisation by

any means affected around the world.

The German role ways, the Russian

interior ministry, Nissan, Renault,

various others were also affected --

the German railways. It was the

impetus for change and improvement

right across the health service

regardless.

To add to that, I don't

think we have got any evidence that

anyone in the NHS was not taking

this seriously. If you referred to

what the CQC and the national data

Guardian said in 2016, one of their

quotes was there was evident

widespread commitment to data

security and staff facing a

challenge in translating the

commitment into practice. I don't

think our challenge was persuading

people in the NHS with data security

is important. Certainly post

WannaCry I don't think there is

anyone in the NHS who would be

saying that. I don't think we do

need to prove to be taking this

seriously, it is equipping people

with the tools to turn that into

positive action of the type that Rob

and Will have been describing.

Understand the point you're making

but the same could be said of a

number of other things. It is

helpful for us to understand. No one

sets out to have a cyber attack

where there is an inadequate

response or people are not fully

prepared but there are good

intentions and then making sure you

have done what you need to do to set

it right.

And we agree with that.

And a number of things we have set

in place are about ensuring that

compliance of things that NHS

digital send out and others are

exactly the region that you save. On

the straight costing question, the

truth is, it does not fall out of

the data we regularly collect from

trusts and others. Other than the

very macrolevel described earlier,

we would need to get an accurate

number and do an entirely separate

data collection which places burdens

all the way through the system, and

for the reasons Will explained, we

do not see doing a specific data

collection as a particularly

positive thing. Now, that is clearly

a debatable position. I think the

National Audit Office would probably

have taken a different decision but

that is the decision that was taken.

Ideally, we would have a number but

we don't.

I agree with exactly what

Chris and Simon has said. Looking

back would not give off any help at

all. If I was ICT director in a

local trust, I would want to have

some idea that if this happens

again, in terms of how can I make a

compelling argument that we should

be investing insider security, and

one of the way they would do that is

how much it costs in terms of

remediation. How do you balance the

risk of prevention in terms of

remediation? Looking

backward not help. Even if

organisations were able to say this

is the rough order of magnitude for

an attack, it helps build their case

for what they should be spending on

defences.

Just to supplement what

he's saying, it would help

accountability. It is quite

convenient that it is proven not to

be practical among other things

which are practical. And they'll

slow think with this list of

initiatives we have here, there are

a couple of one-off numbers

associated, but not a proper costing

on what it is going to cost and is

that a practical number in context

of the pressures on the NHS budget.

It is not old-fashioned or

retrospective to say when these

things happen, it is part of

assessing the seriousness of the

event in terms of the accountability

of parliament, or practicalities of

the forward plan, to understand to

the best of the NHS's ability what

are the costs are that are

concerned. I do think that is

terribly, no one is suggesting a

retrospective thing now or

exaggerating, it is normal

accountability. Do you think that is

-- I don't think that is a bridge

too far personally.

Since there were

clearly strongly held opinions on

this matter, I am quite happy to go

and look again at whether there is

some way of coming to a global

number. I don't think it would be an

audible number -- and auditable

number that you would expect. I'm

quite happy to go and look again at

that.

We will face up to the

technical challenges!

As I say, if

there is some way we can manipulate

existing data to give ourselves a

global sum then I can see that. What

we don't want to do for reasons that

Simon was explaining is to go back

to people who take this very

seriously and could do a further

burden.

At this point, can one of

you clarify to us for this

committee, exactly what resources

are being devoted to decide the

issue? Because we have had the whole

idea of transferring money from the

capital budget to the revenue

budget, perhaps you can clarify for

us, what resources you are now

devoting to the cyber problem within

the NHS?

With national spend is

divided between what we basically

allocate to IT nationally and what

trusts and others choose to spend

themselves? Over a Spending Review

period from 2015 to 2020, we have

allocated I think 4.2 billion to IT

programmes. Our cyber security

investment comes nationally and I

keep emphasising there is a national

bit and a local bit and that comes

out of that 4.2. The original

allocation directly to cyber

security in that was £50 million.

That was supplemented by an

additional 21 million immediately

after WannaCry, namely to deal with

systems and infrastructure issues.

Then, as a part of the

reprioritisation we have done since

WannaCry, we have allocated a

further 25 million this financial

year, and then 150 million over the

following financial years. That is

our direct spend on cyber security.

It is very difficult to get to a

number of what you spend on cyber

security, for some of the reasons

you were stating earlier. When you

upgrade your systems you enhance

your cyber security and it is

frequently better to upgrade your

systems than to spend a specific

amount on cyber. A lot of the other

spending on IT will be contributing

to cyber security but those are our

direct investments.

Can we assume

from that answer, that from the

report that Mr Smart has produced

with 22 recommendations, that there

will be sufficient funds to

implement his recommendations?

What

we have said and I hope this is

clear in what we published, is that

we have re-prioritised the 25

million we are going to spend this

year and the 150 million as the

initial amounts that we will spend

on implementing all this, we will

keep that amount under review, both

in terms of how we are getting on

with implementing what Will has

recommended, and of course, the

assessment of the evolving threat. I

know that doesn't sound very clear,

but it is at the heart of our

challenge here, that this is not a

static issue with our friends in the

National Cyber Security Centre, we

are constantly monitoring for what

the next threat of -- set of threats

are and trying to stay one step

ahead of the people who are playing

games with us. We are looking at

what have they just done, where have

they blocked a potential problem and

where can we go that they have not

thought of next? Those are the

initial investments we have made but

we will keep that amount under

review. Things I should add, as we

have already I hope has become

clear, loss of these things are not

about money. They are about culture

and practice and systems, though

money is of course important. And

individual trusts, and indeed other

institutions in the NHS are

responsible for their own cyber

security and need to be investing

their own money in it. So we're not

saying that what we have announced

there is the sum total of what needs

to be to protect the NHS, we spend

money nationally on things that go

beyond the individual institutions

like the NHS spine, things where

there is a clear economy of scale,

where we can do it on the half of

the system, and things where we are

helping to create the framework in

which the rest of the NHS can

operate well, like those things

which can give advice. That is what

we allocate central money to.

Resources for the defence of an

individual trust or an individual GP

come out of their resources rather

than hours. So it is a complicated

picture, but we try to keep that

distinction between what it is right

to spend nationally, and what it is

right to leave to local trust boards

to deal with their own

circumstances.

One thing that really

concerns me, and it comes back to my

first words I think at the beginning

of this session is your department

has now been given additional

responsibilities for the social care

sector. I am very concerned, given

its diffuse nature about a cyber

attack on the social care system, if

we had large numbers of care homes,

for example, not being able to

operate because they were attacked

by a cyber attack, are you looking

at that whole aspect?

We have always

had the responsibility for cyber

security and social care, and that

is not something that is transferred

in with the new name. I will leave

Will to say in that -- to say little

more. One question, is this

technology dependent than a trust

hospital is? I would say it is much

more difficult to defend because of

its very dicey 's nature as you say.

-- diffuse nature. But the nature of

threat is probably less because it

is less on high-end IT and

diagnostics to run its day-to-day

business. Will, you looked at some

of these questions.

We know the NHS

is made up of a large number of

independent organisations, 8000 GP

practices and hospital trusts. There

are 20,000 providers of social care

across England, and they range from

small single organisations through

to large groups so we know we have a

real challenge. We are chilly have,

following WannaCry, not very much

evidence about how WannaCry

implicated social care and one of

the recommendations in my report is

about actually commissioning

research to better understand both

the cyber security stance of social

care, but more importantly, to

identify what are the right levels

of protections that need to be in

place in social care, because I

think I know that we don't know that

very well. That said, health was

particularly impacted by WannaCry

because of the National NHS network

which connects every NHS

organisation together. That was, I

think to the best of our knowledge,

Rob can confirm the route of

transmission of WannaCry, those

20,000 social care organisations in

general are not connected to that

network so in some sense that

provides some isolation. Local

government organisations which was

picked up in the NA oh report, no

local authority was affected by

WannaCry and therefore the impact on

that part of the social care network

was more to do with challenges

around sharing data between health

and social care, the interface, so

we do need to do more work. We

recognise it and I hope we would

come back with more detail.

Could you tell us, you are moving

away from the Internet system into

the NHS e-mail system. What is the

timetable for that?

We are moving

away from an three, which is the

current network that is provided by

BT. There will be a transition

network that is available whilst

organisations are able to migrate

onto the new health and social care

network. As more organisations move

away from that, what that does is,

it is a single entity and the health

and social care network is a number

of providers providing the service,

said that will make it easier for us

if we got to the situation where we

had a mass attack because it would

not attack everybody. Those

transfers will happen over the next

couple of years.

What is the

timetable before that transformation

will be complete?

Two or three

years. A lot of it is the speed of

how long organisations take to

migrate. The first set of

organisations have migrated onto the

health and social care network and

we have a number of providers

supplying those services. We need to

make sure we do not end up with a

long tail and we keep the transition

network going for a longer period

because organisations are moving

across. There will be incentives and

making sure that people do not

languish and become the last ones in

moving across.

In terms of the

response to the attack, can I ask

first of all why the plan had not

been tested for a response to a

cyber attack?

We had a plan to test.

It was purely timing. We had in

place plans to test and WannaCry

hits before we had a chat to do it.

Who was responsible overall for

leading the response?

At which

point?

In terms of my understanding

of the response to WannaCry. Who is

responsible?

On Friday the 12th we

decided during the course of the day

when it became apparent the nature

of the attack, that we would manage

this through the emergency

preparedness and response EPR

arrangements that we use for any

major attack across the NHS. At that

point the NHS in London stepped up

with our partners around the table

here to run that. Since then we have

now done a dry run through the kind

of scenarios that we would expect in

future tax and we now have a clear

IT specific cyber operating plan

that would kick in in the event of a

similar type of event in the future.

That was not in place then?

That was

one of the things that came out of

WannaCry and some of the actions

that have been taken, yes.

The NHS

emergency response system is tested

and it performs as it always does,

excellently. I admit we could have

been slicker and there were some

things that we presumed different

about a cyber attack than other

types of incident. But the plan did

basically work. The issues were

before. You see this in loss of

crisis situations. One of the

biggest issues is when do you call

it? When something is happening in a

couple of hospitals is reported when

the tip over to be a major incident?

When do you put the machinery in

place? That is always an issue.

Can

I challenge the assertion that it

did work. It worked with a bit of

luck, the plan, didn't it? The kill

switch came in and help do, but

people did not know how to

communicate with your department and

the organisations. They had to use

mobile phones or whatever. I do not

know if that particular document,

for obvious reasons it is it not in

the public domain, but can you

assure us if a future incident

happens that people would know how

to communicate with your department

and organisation and there is a set

protocol for doing so?

That is the

situation that arose that weekend

and arrangements have been put in

place subsequently to deal with

that. I don't know how much you want

us to say.

I do not want you to give

anything away. Presumably the

document is confidential.

Aspects of

it are public.

I would say that NHS

digital colleagues have put in place

a mechanism to communicate directly

across the service. Across the NHS a

tremendous amount of work has been

done about joining up networks and

they have created weekly text alerts

that connects to every CIO and

service to provide that

communication. We have learned the

lessons we need for multiple

communication channels to be in

place and I hope we do not need to

use it for a long time.

The

communications system that was in

place for EDI systems which worked

with individual trusts did work. One

of the things we learned from the

incident is you need a wider range

of people to communicate with. It is

not that the plans in place did not

work, they did, it is that you need

more than that.

I am grateful for

the clarification.

Regardless of

where you are in the country, there

would be an understanding of where

to come in the event of a cyber

attack? People on the ground would

know who to come to and have quickly

to do that? They would know where

their responsibilities lie?

We are

very clear that if there was a

suspicion in any organisation that

there may be a cyber attack, the

first port of call is the NHS

digital security operations centre.

NHS Digital will assess the risk and

within an hour of an initial contact

with NHS Digital, they will have a

discussion and I will take the

decision as to how we deal with it

and we have a process to proactively

manage that.

Had GDR been in place,

how ready would it have been able to

respond in a timely fashion to the

data breaches?

The NHS already has a

history, we report breaches, we have

been transparent about that. I do

not think GDR impact the way we

report those preachers.

Do you think

the NHS and its constituent parts

are ready for GDR in the broadest

sense? Is there an understanding

about what needs to be done?

Certainly in our organisation we

have got a full programme to become

compliant and with the type of

organisation we are you would expect

that is the case. We have had our

internal audit group come in and

look at where we are early in the

year and we have a follow up in

April to make sure we have a strong

plan to become compliant with GDP

are. Local organisations will be

doing their own planning. There is

no central oversight in terms of

whether they are on track to do

that. But the IT Toolkit that used

to put a lot of guidance out about

data protection has been replaced.

It was another recommendation in the

review because before it was a tick

box exercise that the Toolkit

became, so we have made it more into

a data security protection Toolkit

to give local organisations more

information. It is a lighter touch

but the modules in their give more

guidance around Dame Fiona

Caldicot's principles around the

Data Protection Act. It gives staff

up-to-date tools because we need to

explain to people about things like

fishing attacks and how you keep

safe online and how you make sure

you do not fall for e-mail scams. As

part of the readiness to help with

the system we have made sure we are

updating the data security

protection Toolkit so they can

update more support for our

organisations that want to move

towards compliance.

The board is

accountable for these issues and

they will be ensuring that the board

are aware of the risks to the

information governance Alliance, a

coalition which will be publishing

information for those organisations

to ensure they are as informed as

they can be as to what the

regulations are. If GDPR had been in

place, would there be any extra

responsibilities upon you as to the

reporting in place?

I am not sure.

Where does cyber security rank

alongside your many various

priorities?

It is one of our top

risks and these are managed as such.

Actually it is an area where the

Department takes a more active role

in the setting of the work and the

management of it mainly because of

its cross government nature. And

because we are also interfacing with

the cyber Security Centre and

others, so we are...

Do you think

the chain of events leading to the

WannaCry attack would demonstrate

that it is up there as one of your

top priorities? Do you think the

evidence in the run-up to the

WannaCry attack would demonstrate

that it is a key priority?

In terms

of priority, yes. In the two reports

that were referred to earlier, my

predecessor as permanent Secretary

one of the last things she did was

to review governance of IT including

the security governance and she put

in a new structure, including the

role that we would play which is

looking across on behalf of all of

us the digital and IT issues. I do

not think it is the case that there

was a lack of priority. With

hindsight looking at WannaCry would

it have been even better if those

things had started earlier? Of

course, yes. But certainly since

2015 when our national approach on

cyber security began I do not think

there is a lack of priority. But we

have a huge amount to learn.

You are

right to say with the benefit of

hindsight, but was it not the case

that you were lucky this time

because of the timing of the attack,

the kill switch, it was Friday

afternoon, it was not in the middle

of winter? Had any of those factors

come at different points, the

outcome might not have been so

positive?

We have discussed a number of those

things as we have gone along.

Clearly, if this had happened at a

time when the NHS was on the

pressure for other reasons, such as

winter, clearly this would have

multiplied the effect. As Simon

explained earlier, nationally it is

quite a small percentage of NHS

procedures which were affected,

somewhere around 1%. Clearly, if you

put that on top of a point where we

were having problems for other

reasons, that would have a big

effect. On the kill switch, I

discussed this with my colleagues at

the National Cyber Security Centre,

there is clearly some luck in terms

of whether somebody find a

mitigation. What happens in these

cases is as soon as you get an

attack, a large number of people

both the public in private sector --

across both the public and private

sector, look for tech mitigation and

hopefully someone finds one. At

which point, everybody else stops,

as it were. So you clearly could

have a scenario where none of those

people find something. So we were

lucky in a sense that somebody did,

but it is not the case that there

was only one person looking etc. As

it happens, that individual found

one and did so quite quickly and

that clearly mitigated the effect.

But there is some science as well as

some luck involved involved in those

processes.

The kill switch as well,

as said earlier, there were 150

countries impacted by this. The way

National cyber Security works,

whoever finds the kill switch, the

key thing is it is broadcast as

quickly as possible. The fact that

it was found by somebody in this

country, we had already unpicked the

code, it could have been an hour

later or a day later, but we have to

make sure our agreements with the

other countries, whoever finds the

kill switch, the key thing is

communicating that quickly so you

can enact it and reduce the impact

of the attack.

I understand what

you're saying, but in the event that

it had taken longer or it had not

happened, what could have been done

to try and mitigate the impact of

the ongoing attack?

I think in terms

of what was happening, I think the

command and control were in position

and NHS England worked really well.

Simon Weldon said where he wanted

bits on the ground. All of that was

positive and it was a learning

experience as well. What I would say

is if that had not happened there

would be more business continuity

planning which needed to be taken

into account. There could have been

more organisations in active but we

knew what the impact would be by

then. What this was doing was was

locking out systems. We knew once it

had locked those systems, it was not

changing data. What it was doing was

blocking it. So business continuity

planning kicked in and worked really

well in the NHS.

I would like to add

that the kill switch was not the

only thing going on to mitigate the

effect for organisations. Every NHS

organisation up and down the

country, IT engineers were working

in the server farms, in the network

areas, on the PCs to isolate and

make sure everything possible was

done. I do organisations were taking

steps to protect themselves. We

cannot say what the impact would

have been if the kill switch was not

found but we do action was taken

locally and that was having some

preventable effect on the spread.

Suppliers had updated their products

to stop that attack from happening.

Over the weekend, the fact they had

taken their product, uplifted it so

it was no longer a vulnerability

that could be exploited, the number

of organisations that could be

impacted would be reduced as long as

they had antivirus in place.

Turning

to the review, can I ask what the

Mac and motivation -- can I ask what

the mechanism for lamenting that

would be?

I presented a report. We

will read over the coming weeks the

recommendations and they will no

doubt accept, reject or amend those

recommendations so we have a period

of dialogue to go through.

Yes, we

will be using the existing

government mechanisms we used to

manage our IT investments and data

security detectors forward. It is a

complicated picture. It does involve

multiple organisations even at

national level and a lot of the

impairment nation needs to be done

hopefully by individual trusts and

others. I don't want to downplay the

complications but we do think we

have a good structure now for

bringing together the key players in

the NHS, and coming to a single

agreement, and it is that board that

does so.

Mr Smart, of your 22

priorities, are there some you would

draw attention to and say that if

you had to pick out a number, these

are the areas of the greatest

importance which would have the

biggest impact?

I would obviously

say all 22 are critically important.

If I were to summarise, leadership

is a really critical issue here. We

need boards to being gauged in the

cyber agenda and we need to make

sure that there is appropriate

governance within organisations to

enable clinical risk and technology

risk and operational risk to be

properly managed in the

organisation. One of my mantras over

the past month has been the boards

really need to be owning this agenda

and driving it within the

organisation. That is probably one.

The second area, my first four

recommendations are around

standards. I have worked in local

organisations and I have done my

best to ignore everything that NHS

England and Improvement have told me

that that time. But we absolutely

need to step up and be clearer what

good looks like and what the

standards I like. So the standards

around action plans to implement

cyber are a plus. But also a

recommendation as well, about being

clear about what technology and

technical standards need to be in

place with organisations I think is

really important. And then maybe

thirdly, rather than going through

everyone, what we saw I think in the

WannaCry attack was an environment

which was probably much more

connected in health care than I

think many of us give health care

credit for. We saw, vertically when

we looked at the 46 affected

organisations, that those which did

not have WannaCry infection but were

impacted as a result of decisions

being taken by others to protect

themselves, that we have a very

interconnected NHS. So the

recommendations around looking at

business continuity plans beyond the

boundaries of your own organisation,

to understand who you are connected

to, what the impact of decisions

that you will take on others and the

decisions that they take on your

organisation I think is critical to

insuring that short period of time,

when we have an incident emerging

that we can be confident the right

decisions are being taken.

Which

comes on to recommendation 15 which

talks about NHS digital having the

ability to isolate organisations,

parts of the country with particular

services in order to contain the

spread of a virus during an

incident. I want to ask how

impractical terms that would work?

So I think Rob and I had a long

conversation about this this

morning. I think it goes back to the

point I made about business

continuity. This is not something

where we say we are about to switch

off large parts of the network, it

is particularly where together with

the local communities and

organisations, there is an emerging

threat within an organisation that

we take an decision to isolate.

Preventative, I think there is a lot

of work we need to do to make it an

option which is safe and practical

and it would not be something we

would do lightly.

Just to add to

that, going back to a provider which

was badly affected at the time, it

has been really interesting to see

how boards have embraced this. I

think boards have learned a lot,

they understand their exposure,

their interconnections on a regional

and national level. You can see an

awful board activity about risk.

None of these things are risk-free.

There is a danger that people think

this is the only risk we have to

deal with. Simple things like

maintaining a CT scan not risk-free.

Often you get simple routine

maintenance and then spent several

days getting the machine fully up

and running again. I think one of

the benefits is it has made board is

much more aware of their

vulnerabilities and this all cannot

sit at a national level. It is very

much knowing what your own risk far,

how you're connected in regional

systems and how you respond and help

each other out at this time.

Sir

Chris, do we know how much these

recommendations will cost and is the

money there to deliver on them in

full if that is what the department

decides?

Not precisely, no. We have

made an initial reprioritisation of

150 million to this, but for some of

the reasons I explained earlier, we

will keep that under review. As I

say, this is one of the things that

are taking forward Will's report,

the digital delivery board will

consider which overlooks the entire

programme of 4.2 billion across the

Spending Review. We have not tried

to cost individually the individual

recommendations, we have made an

initial investment on resources. We

will keep that under review and we

will take the advice of the delivery

board about where we need to go in

the future.

What is more difficult

to engage as we know there will be

costs involved with implement in the

costs of the review, but we do not

know what the unspecified or

undetermined costs of what an attack

of greater magnitude could be so

this may involve significant

spending but it could in the long

run be not only the right thing to

do in terms of patient safety but

save the NHS a lot of money in the

event that a more serious attack

were to occur?

Yes, but all these

questions are difficult issues of

the balancing of risk. We were

discussing some of this outside. The

way to best make yourself secure

against cyber attack is to turn

everything off, with obvious

consequences for patients and

others. Likewise, it is possible to

spend considerable sums of money,

and still be vulnerable to attacks

and when you look at attacks across

the board, it has included

organisations that spend huge sums

of money. So the question of

investing wisely is probably more

important here than the actual

quantum, and some of the other

issues that Will was picking out

about culture and cyber security are

again probably more important than

the quantum here. There are clearly

investment questions here which is

why we have made reprioritisation

but you can spend enormous sums of

money and not be secure.

Can I add

as well but we have got to make sure

that we future proof this. What we

cannot do is throw public money and

say we will protect now but we are

protecting against the past. We have

to make sure that we have a

well-balanced risk. It is all but

learned protection. We can say we

are doing something at the front

door but someone is climbing through

your back window at same time. You

have to make sure that as you peel

back then onion that you have

different layers of protection and

NHS digital should hopefully with

the money that has been allocated,

do something to reduce the systemic

risk. It does not make sense for

each organisation to monitor

organisations at its perimeter. The

other part of Will's recommendation,

at the minute NHS Digital do not

know what is deployed in all the

major trauma centres, the Ambulance

Service and big foundation trusts.

If we knew what was deployed and

then we have a threat, we can make

targeted analysis and we can make it

at individual organisation level.

That sex with some of the guidance

and it makes it much more specific.

I know in terms of the

recommendations, I know it talks

about switching people of the

system, but a crucial thing is about

understanding what is deployed and

what the threat and ounces. That is

certainly a big priority for me.

Can

you give an idea of where we would

expect to be in six months from now

and how we would complete all 22?

We

are already undertaking a great deal

of work around cyber protection,

remediation etc as we speak. All of

these actions will start

immediately. Some of them have a

longer lead time and again, we need

to have a detailed conversation with

the data security leadership board

as to what the appropriate plan and

timescale for that looks like, so I

would expect that over the next few

weeks, months, we will be able to

come back with a much clearer plan

and timetable.

We are coming towards

the end. Can I have some quickfire

questions? Principally to Sir Chris

and Simon Stevens. Can you tell us

where we have got with the care cert

system. How many organisations are

signed up for the care cert portal

and how many organisations have

registered technical compliance?

So

care cert, we have worked with the

leaders both with NHS England and

NHS Improvement and all the

foundation trusts are signed up to

it. There are some benefits to that.

It is not a case of signing up and

we can contact them, where it is

dividing enhanced threat protection,

we have done a customised agreement

so that organisations can download

patches. Round about a third of all

trusts have downloaded patches from

the service. But does not mean two

thirds haven't. This is to support

software which was not previously

supported. Care cert is moving

forward. There is a number of things

we have put forward around

vulnerability scanning. There are

things we can do with the funds

allocated. We need to make sure we

prioritise things in terms of impact

and what the systemic risk is in

terms of value for money. In terms

of signing up, I'm pleased to say

that through NHS England and NHS

England, there is 100% sign up now

from the trusts. The high-risk are

fully signed up.

Are you sure in your own mind both

your organisations have a hand on

preparedness in the event of an

attack? Or are there other

organisations out there that are

still unprepared?

I think we have

got much better visibility than we

had in May about the situation. What

we are focusing the 25 million

second tranche of funding this year

is for those organisations that have

vulnerabilities around some of the

high-level care issues that were

identified and to address the media

issues there. We have a good sense

of where the next group of

organisations are going to. We know

that some organisations, but she is

a good example, which is a huge

organisation, they have a lot to do

to address all of their cyber

resilience issues and we are working

hard with them in terms of working

through their vulnerabilities,

providing them with funding and

support. I think we broadly know

those organisations which are most

worried about and we have a plan for

them.

Do you have a number in your

head of the trusts that have a lot

more work to do?

I would not like to

give a number out. I am happy to

come back with a number.

I

appreciate it might be sensitive

information, but what I am trying to

get that is within the parameters

you have set out, always it is the

worst that have the most work to do

and I want to know if you are on top

of those that have a lot more work

to do?

We have a list and we have

regular calls in an age with the

improvement staff where we go

through those organisations that we

think our furthest away from having

all of the technical controls in

place that are required. In one

sense, and this may come out a

slightly odd, I am almost less

worried about those organisations

because they are the organisations

that know themselves they have a

distant to go. I think the worry and

the cultural leadership challenge is

for those organisations that were

not affected during the WannaCry

crisis that may think that reflects

the good work the organisation that

has done, those are the

organisations we need to be

targeting to make sure that they are

really on top of it in the

infrastructure?

Is this CQC

inspection the only way you will get

an in-depth knowledge of where each

trust is or are there other

mechanisms that you can use to

enquire into their preparedness?

We

do a full inspection on site,

penetration testing, looking across

the full estate so when they respond

the information gets past two CQC.

Before it was just between ourselves

and the local organisations but as a

result of WannaCry that information

is being shared so CQC can use that

as part of the unannounced

inspections if they choose to do so,

but through his area we can see the

ones that are at the lower end as

well as the ones at the top end.

Clearly at high-level there are a

lot of government organisations and

key government organisations that

are looking at the whole area of

cyber security. Are you satisfied

that your contacts with all those

government agencies are sufficient

to enable your department because

this is an ongoing science? You can

never rest from it. There are new

methods of penetrating IT systems

coming along all the time. Are you

really sure all government agencies

are coordinating as they should?

I

can never promise they are

coordinating perfectly. NHS Digital

have very close working

relationships with us and during the

cyber attacks and we work closely

with them afterwards as well. That

is a new piece of the landscape and

it makes it considerably simpler for

us that there is a single centre for

all government needs on these issues

and which we can work with.

There is

only ourselves and the MoD along

with the National Cyber Security

Centre, so other departments rely on

information being fed out. Because

we are monitoring the National

spine, the mail system, etc, we

share information with the National

Cyber Security Centre so there are

alerts that come out from them that

originate from what we have seen on

our networks. That partnership has

grown quite significantly in the

last 12 months or so.

Can I go back

to your point on the EPRR? What time

did you know that this attack was

taking place?

It was about one

o'clock on the Friday that there

were the first reports. A national

incident was called at four o'clock.

Is that right?

If that is the

timescale that sounds like a

reasonable timescale to be making a

decision on a very important

national issue?

As I say, the NHS is

very good at emergencies and it does

kick in very quickly. We had a

conversation with the National Cyber

Security Centre straightaway when

the first reports came in, which was

also helpful to that

decision-making. But the

decision-making by NHS England was

very swift indeed.

The first trusts

were reporting to NHS Digital by

lunchtime one o'clock and by four

o'clock it had become a larger group

of trusts so we declared a major

incident. At five to five NHS

Digital released to the NHS

bulletin. At five o'clock we braved

the Secretary of State and by 6:45pm

we had initiated the EPRR plans for

coordinating across the whole of the

NHS.

Thank you for that helpful

answer. Can I challenge one of your

earlier answers in which you said it

worked well. In communications there

seems to have been a bit of tension

between what you should have been

communicating and in some respects

people wanted more information to

know what was happening in their

NHS. In another respect some of the

trusts were wanting to keep it quiet

because they did not want their

particular weaknesses to be exposed

I presume. Have you undertaken a

lessons learned as it were for the

whole EPRR process? Have you in

particular looked at how you would

communicate these types of incident

in the future?

Yes, we review the

process all the time and every time

there is an incident that uses the

machinery there are lessons learned.

We updated in the light of