Business

Policy

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

Don't panic, Captain Mainwaring!

By Kat Hall

28 SHARE

Every single one of the 200 NHS trusts in the UK so far assessed for cyber security resilience has failed an on-site assessment, MPs on the Public Accounts Committee were told yesterday.

There are a total of 236 trusts. There is no timeline on when the remaining 36 will be checked over.

In a hearing about the WannaCry incident last June, entitled "Cyber-attack on the NHS", Rob Shaw, deputy chief exec of NHS Digital, denied it was the case that those bodies who didn't get a passing grade had not done anything over cyber security.

On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan

READ MORE

He said: "The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against... is quite a high bar. Some of them have failed purely on patching, which is what the vulnerability was around Wannacry."

He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey [to] meeting that requirement."

Shaw said NHS Digital "may want to consider whether to re-inspect those at the highest risk, now we have the additional funding."

Will Smart, chief information officer at NHS Improvement, said that since the incident £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.

He said "further reprioritisation and additional investment for cybersecurity is being considered".

Smart declined to say how many organisations were still at high risk, citing security concerns. However, he said it was those organisations who had not been affected by WannaCry but were complacent about their practices that were the ones he was "most worried about".

Smart published a review last week setting out 22 recommendations of the lessons learned around WannaCry. He told MPs having appropriate standards in place across the NHS to enhance resilience and appropriate governance in place to prevent it from happening again were his "top priorities".

In October, the National Audit Office said the NHS could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings from CareCert about falling victim to a cyber attack a full year before that incident happened.

Chris Wormald, Permanent Secretary at the Department of Health, said a national response strategy was due to be tested in response to a cyber attack, but said the incident occurred before the NHS had a chance to trial it.

Before the WannaCry attack, the Department of Health had work underway to strengthen centralised cyber-security in the NHS.

NHS Digital's CareCERT has a system for broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber attacks.

NHS England had embedded the 10 Data Security Standards in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats, it said. ®

Sign up to our NewsletterGet IT in your inbox daily

28 Comments

More from The Register

Acronis: Ransomware protection! Get yer free ransomware protection!

Windows-only but sure, thanks

Acronis adds automated ransomware protection to latest Backup version

Blockchain for data integrity and regulatory compliance

Don't worry, Eugene Kaspersky. Acronis is just busting a security move...

Analysis Oh and a touch of HCI, says data protector as it waltzes into adjacent markets

Ransomware keeping cops, NHS and local UK gov bods awake at night

Biggest threat next year, Met Police cybercrime boss says

Ransomware brutes smacked 1 in 3 NHS trusts last year

One was hit 19 times over 12 months

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

Charming. First worm able to infect legacy systems has a module called 'network f*cker'

NHS systems fell offline for 1,300+ hours over 36 months, cyber-nasties fingered – FoI study

Extent of attacks on UK healthcare revealed in numbers

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

Claw back your stuff without paying asshat for pricey cracker

Enterprise backup bods treat kit for ransomware code lurk

Hoping to purge it of backup attack loops

New Zealand school on naughty step after ransomware failure

Fortinet to lock the stable door, horse heads for horizon