Question to the Department of Health and Social Care:

To ask Her Majesty's Government, following the WannaCry ransomware attack on the NHS, what instructions were provided to (1) NHS, and (2) Public Health England (PHE), staff about the importance of software updates; what assessment they have made of whether the PHE Excel errors, resulting in COVID-19 cases being unreported, were related to a lack of software updates; and what plans they have to ensure that PHE uses appropriate database software to record and analyse COVID-19 data in future.

All health and care organisations that have access to National Health Service patient data must annually complete NHS Digital’s Data Security and Protection Toolkit. The Protection Toolkit includes guidance on how to manage out of date software. To meet the standard required, organisations must operate on supported systems or have plans in place to mitigate the risk such as segregating those machines from the network. NHSX and NHS Digital are also supporting NHS organisations to upgrade their existing Microsoft Windows operating systems to Windows 10 and to deploy Advanced Threat Protection. This gives oversight of cyber activity at device level across the NHS and whether they have installed updated software to protect them from cyber threats.