Skip to main content

NHS: Cybersecurity

Question for Department of Health

UIN 780, tabled on 22 June 2017

To ask the Secretary of State for Health, if he will provide an update on how sensitive data is protected in the NHS; and what steps he has taken to improve cyber-security in the NHS since the ransomware attack on 12 May 2017.

Answered on

27 June 2017

Cyber resilience in the health and care system is an issue that the Government takes very seriously.

We have changed the National Health Service standard contract to include, from April 2017, cyber security requirements.

Evidence shows that the use of unsupported systems is continuing to reduce in health and care, as organisations replace older hardware. Latest estimates suggest the usage of Windows XP in the NHS has reduced from 15-18% at December 2015, to 4.7% of systems currently.

The 12 May 2017 ransomware incident affected the NHS in the United Kingdom. It is standard practice to review any major incident in the NHS. Further, the Chief Information Officer for health and care is undertaking a review into the May 2017 cyber-attack which is expected to conclude in the autumn.

The identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000. These costs were borne by NHS Digital and NHS England from internal budgets. Information relating to any expenditure incurred by individual local NHS trusts or other NHS organisations is not collected centrally.

We do not comment more widely on matters of security.

Named day
Named day questions only occur in the House of Commons. The MP tabling the question specifies the date on which they should receive an answer. MPs may not table more than five named day questions on a single day.