Majority of NHS trusts fail cybersecurity standards

null

It has been revealed that almost all of the NHS trusts operating in the UK that were assessed for cyber security resilience have failed an on-site assessment.

MPs on the Public Accounts Committee were recently informed that 200 of the 236 NHS trusts failed the cyber security assessment and a timeline has not yet been provided for the testing of the remaining 36. 

Following last year's WannaCry ransomware attack in a hearing titled “Cyber-attack on the NHS”, deputy chief executive of NHS digital, Rob Shaw denied claims that the government bodies that did not receive a passing grade had done little to improve their overall cyber security in the wake of the global incident. 

Shaw offered further insight into how difficult it is for NHS providers to reach the cyber essential plus standard, saying: 

“The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against.... is quite a high bar.  Some of them have failed purely on patching, which is what the vulnerability was around Wannacry.  Some of them need to do a considerable amount of work but a number of them are on a journey to meeting that requirement.” 

Shaw also pointed out that the bodies at highest risk should be re-inspected using additional funds from NHS. 

NHS Improvement's chief information officer, Will Smart noted that £21m had been invested towards improving cybersecurity and an additional £150m had been allocated towards improving national systems and resilience over the course of the next two years. 

Due to security concerns, Smart did not reveal how many organisations are still at high risk though he voiced concerns over those who had not been affected by WannaCry but still remained complacent in regards to their cyber security practices. 

In a recently published review, Smart laid out 22 recommendations based on lessons that had been learned from WannaCry.  He stressed to MPs that having appropriate standards in place across NHS to prevent a similar incident was his top priority going forward. 

The WannaCry ransomware attack was a wake up call for many businesses and organisations but none more so than NHS which could have prevented the attack from affecting its operations. 

Image Credit: Marbury / Shutterstock