All 200 NHS trusts fail latest cybersecurity standards

Little has improved since WannaCry debacle, parliamentary committee hears

Despite attempts for improved security provision, the UK's Department of Health has admitted that all 200 NHS trusts assessed for cybersecurity vulnerabilities have failed to meet the standard required.

Civil servants revealed the news in a parliamentary hearing earlier this week, which heard of the effects of the WannaCry ransomware attack on parts of the NHS last year.

Advertisement - Article continues below

The malware affected 300,000 computers in 150 countries in May last year, including 48 NHS trusts, also shutting down multiple hospital IT systems as well as companies and universities elsewhere.

At the time, NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign that was only thwarted when a security researcher discovered a 'kill switch' that stopped the attack in its tracks.

However, hospital trusts across England and Scotland admitted they'd been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff had also been sharing further details on Twitter, with one screenshot suggesting the ransomware was demanding $300 in Bitcoin to decrypt files, with the price doubling after three days.

Appearing before the Commons' Public Accounts Committee on Monday, NHS Digital deputy chief executive Rob Shaw said trusts were still failing to meet cyber security standards since the WannaCry debacle, admitting some have a "considerable amount" of work to do.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott's report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry," he said.

Simon Stevens, the chief executive of NHS England, added: "A whole bunch of things need to change."

The total cost of the impact on the NHS is still unknown, as and may never be, attendees heard.

The UK's Foreign Office officially blamed North Korea for the WannaCry campaign in December, though the country's regime denies involvement.

Following WannaCry, officials set aside 20 million for the NHS to create a security centre designed to constantly probe the organisation's cyber defences using ethical hackers, as well as issuing best practice guidance around cybersecurity incidents.

Advertisement - Article continues below

The National Audit Office (NAO) slammed the NHS's security in October last year, saying "basic IT security" measures would have prevented WannaCry from causing the chaos it did. 

"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the NAO, at the time.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/operating-systems/microsoft-windows/355105/microsoft-puts-windows-development-on-lockdown
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020