One year after WannaCry, zero NHS trusts pass cyber security assessment

Damning government report reveals NHS still fails to meet cyber security requirements

The government's Public Accounts Committee has today released the findings of its report into the WannaCry ransomware which hit the NHS in May 2017, revealing that not one NHS trust is up to an acceptable standard of cyber security.

Following the WannaCry attack, the report said, the NHS has assessed the cyber security level of 200 trusts. Disappointingly, however, every single trust failed the cyber security assessment - in some cases because they had failed to apply critical patches to their systems, which is the main reason WannaCry was able to spread so widely in the first place.

Advertisement - Article continues below

"The Department and NHS Digital told us that trusts had not passed the test, not because they had not done anything on cyber security, but rather that the Cyber Essentials Plus standard against which they are assessed is a high bar," the report said. "However, some trusts had failed the assessment solely because they had not patched their systems - the main reason the NHS had been vulnerable to WannaCry.

"NHS England told us that it is also concerned that trusts that were not infected by WannaCry could become complacent over cyber security and not keep on top of their cyber security risks."

Advertisement
Advertisement - Article continues below

On top of this, NHS Digital told the committee that it still lacks key information on the cyber security posture of local healthcare facilities, such as the use of anti-virus software and IP addresses.

"Applying patches, downloading securing updates and keeping passwords hard to guess are simple practices that can go a long way, but it seems like this isn't happening among healthcare organisations currently," said David Emm, principal security researcher at Kaspersky Lab.

Advertisement - Article continues below

"Health data is attractive to criminals, and the interconnected medical devices that we are increasingly seeing present across healthcare institutes are susceptible to the same security risks as traditional IT devices."

The report found that around 80 of England's 236 NHS trusts were affected by the ransomware, as well as more than 600 additional NHS organisations such as GP's practises. The incident - which was declared a major incident' by the NHS - resulted in the cancellation of almost 20,000 operations and hospital appointments.

Despite this, however, the DfH still has no estimate of how much money WannaCry cost the NHS, stating that its focus at the time was on caring for patients.

"We recognise that at the time of the attack the focus would have been on patient care rather than working out what WannaCry was costing the NHS," the report read. "However, an understanding of the financial impact on the NHS is also important to assess the seriousness of the attack and likely to be relevant to informing future investment decisions in cyber security."

Advertisement - Article continues below

Further facts about the NHS' troubling level of cyber security (both before and after WannaCry) were also revealed. For example, although the DfH, NHS England and NHS Improvement published a list of 22 recommendations for improving the NHS' cyber security back in February, plans to implement the recommendations have yet to be agreed upon, and the Department for Health still has no idea when it will happen or how much the process will cost.

Advertisement
Advertisement - Article continues below

One of the key issues faced by the NHS in keeping itself secure, the DfH told the committee, is that many local bodies are unable to apply updates and patches to IT systems without disrupting patient care, as many are interdependent on each other.

"Nearly one year on from the WannaCry cyber attack, it is clear that there is a need for constant vigilance within the NHS to ensure that patient data and vital systems are protected," said techUK's head of programme for Cyber and National Security, Talal Rajab.

Advertisement - Article continues below

"It is important to note that WannaCry was not just a wake-up call for the NHS, but for organisations across the public and private sector, to get their house in order and remain prepared in this era of heightened cyber tensions. Further sector-specific guidance can be found through the National Cyber Security Centre."

Some progress has been made, however; since WannaCry hit the NHS, the Department for Health has carved off nearly 200 million to invest in various improvements to cyber security up to 2020, including more support resources for vulnerable organisations, improvements to local infrastructure and addressing major security gaps in major trauma centres and ambulance trusts.

The committee set out a number of further recommendations for the Department for Health as part of the report, including that it should provide support and guidance for local healthcare organisations on how to efficiently patch systems with minimal disruption, as well as ensuring that staffing plans focus on IT and cyber security.

Advertisement - Article continues below

The report also recommended that all of the NHS' contracts IT and equipment vendors include guarantees for support and protection to guard against cyber attack.

Furthermore, the DfH is to provide the government by the end of June 2018 with an estimate for the cost of WannaCry to the NHS and a progress report on the implementation of the recommendations it made in February.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020