All 200 NHS trusts fail latest cybersecurity standards

Little has improved since WannaCry debacle, parliamentary committee hears

Despite attempts for improved security provision, the UK's Department of Health has admitted that all 200 NHS trusts assessed for cybersecurity vulnerabilities have failed to meet the standard required.

Civil servants revealed the news in a parliamentary hearing earlier this week, which heard of the effects of the WannaCry ransomware attack on parts of the NHS last year.

The malware affected 300,000 computers in 150 countries in May last year, including 48 NHS trusts, also shutting down multiple hospital IT systems as well as companies and universities elsewhere.

At the time, NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign that was only thwarted when a security researcher discovered a 'kill switch' that stopped the attack in its tracks.

However, hospital trusts across England and Scotland admitted they'd been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff had also been sharing further details on Twitter, with one screenshot suggesting the ransomware was demanding $300 in Bitcoin to decrypt files, with the price doubling after three days.

Appearing before the Commons' Public Accounts Committee on Monday, NHS Digital deputy chief executive Rob Shaw said trusts were still failing to meet cyber security standards since the WannaCry debacle, admitting some have a "considerable amount" of work to do.

"The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott's report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry," he said.

Simon Stevens, the chief executive of NHS England, added: "A whole bunch of things need to change."

The total cost of the impact on the NHS is still unknown, as and may never be, attendees heard.

The UK's Foreign Office officially blamed North Korea for the WannaCry campaign in December, though the country's regime denies involvement.

Following WannaCry, officials set aside 20 million for the NHS to create a security centre designed to constantly probe the organisation's cyber defences using ethical hackers, as well as issuing best practice guidance around cybersecurity incidents.

The National Audit Office (NAO) slammed the NHS's security in October last year, saying "basic IT security" measures would have prevented WannaCry from causing the chaos it did. 

"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the NAO, at the time.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020