200 NHS Trusts Fail Basic Cybersecurity Tests
Cybersecurity assessments reveals NHS trusts still have security vulnerabilities exposed by the 2017 WannaCry cyberattack.
The Care Quality Commission (CQC) recently subjected the NHS’s cyber security defences to on-site assessments, which all trusts failed to pass. It was found that inadequate patching on IT systems, a core vulnerability targeted by the WannaCry ransomware, had not been carried out sufficiently.
Deputy CEO of NHS Digital, Rob Shaw addressed the Public Accounts Committee saying: “It isn’t the case that all of the trusts have done nothing around cyber security. The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against is quite a high bar.”
“Some of the trusts have to do quite a considerable amount of work, but a number of them are already on the journey that will take them towards meeting that requirement. One of the things that we may want to consider now that we’ve got the additional funding available is whether or not we should go back and re-inspect some of those where there is the highest risk, in order to provide us with the reassurance that they are going in the right direction.”
New Cyber Security Measures Already Taken by the NHS
In the wake of WannaCry, which the National Audit Office labelled an easily preventable unsophisticated attack, officials set aside £20 million to ensure that the NHS upped its cyber security measures. The funds were to create a security centre designed to constantly assess their cyber defence for weaknesses and to address key vulnerabilities in major trauma centres and ambulance trusts. The NHS Digital data security helpline was made available 24/7 to handle out of hours calls, it is supported by an expert data security on-call team.
The NHS has also signed up to CareCERT for guidance and support on how to respond to cyber threats. In conjunction, NHS digital and CQC plan to carry out surprise deep-dive inspections on NHS trusts in an effort to meet the required cyber security standards.
Ted Baker, chief inspector of hospitals at the CQC, said in a statement that these surprise investigations are intended to establish a baseline of what good looks like.
NHS Digital launched CareCERT Collect, which is an online self-service platform for local organisations to register technical compliance and technical information to assist mitigation activities. A Cyber Handbook was also created to provide an outline of how NHS England, NHS Digital and NHS Improvement should respond in the event of a cyber-attack affecting the public health service.
The study, Lessons Learned Review of the WannaCry Ransomware Cyber Attack by William Smart – Chief Information Officer for Health and Social Care, states that an initial £150 million has been identified to focus on continuing investment in local infrastructure as well as national systems and services to improve monitoring, resilience and response. While it is clear action has been taken to increase cyber reliance, the NHS will have to speed up this process and strengthen their system considerably. Cyber security experts have made it clear that it is not a matter of if there will be a repeat cyber-attack but when.