Every single NHS trust assessed for cyber security vulnerabilities has failed to meet the standards required, MPs heard this week.
The amount of effort it takes from NHS providers in such a complex estate to reach the cyber essentials plus standard that we assess against is quite a high bar
In a recent Parliamentary hearing exploring the impact of the WannaCry cyber attack which disrupted parts of the NHS last year; Department of Health (DoH) officials said all 200 trusts had failed, despite increases in security provision.
The attack last May is believed to have infected machines at 81 health trusts – nearly a third of the 236 NHS trusts in England – plus computers at almost 600 GP surgeries, according to a National Audit Office (NAO) report which was released in October.
Rob Shaw, NHS Digital’s deputy chief executive, warned that trusts were still failing to meet cyber security standards, and revealed some have a ‘considerable amount’ of work still to do.
Appearing before the House of Commons’ public accounts committee, he said the department had completed 200 on-site assessments, but none had matched the ‘high bar’ set by the national data guardian, Dame Fiona Caldicott.
The healthcare industry cannot accept defeat. Instead, it must work with security vendors and other public-sector organisations to share resources and threat intelligence to more effectively combat the growing rate of cyber crime
“The amount of effort it takes from NHS providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry,” he said.
The NAO said the DoH was unable to give a cost for the impact of the attack, adding that the full extent of the damage may never be known.
Believed to have originated from a North Korean cyber organisation; WannaCry was a type of malware known as a ransomware worm, capable of travelling from machine to machine directly, infecting new computers across corporate networks.
When it managed to infect a new machine, it first worked in the background to infiltrate itself within the operating system, then restarted the computer and began the process of encrypting the hard drive, rendering it impossible to read without the encryption key.
Victims were then offered the chance to buy the key for $300 (£214).
Simon Stevens, the chief executive of NHS England, told the meeting: “A whole bunch of things need to change.”
Cyber security specialists are now expected to work more closely with NHS trusts to help overcome the problems.
Speaking to BBH; Rob Bolton, technology director and general manager for Western Europe at Infoblox, said: “The NHS is currently facing a number of challenges. Not only is it being called upon to modernise, reform and improve services to meet the needs of ever-more-complex, instantaneous patient demands; it is also facing an ever-mounting threat from cyber criminals operating in groups that are much more agile than the NHS itself. This spans not only technological environments, but processes and the people that have access.
In order for the NHS to effectively defend against cyber crime; IT teams need to carry out regular overviews of their systems, making sure they identify all vulnerable systems, efficient processes for identifying and remediating weaknesses, and have the ability to recognise malicious activity across their network
“Because of this, it is not really a surprise that NHS trusts are struggling to pass cyber security tests.
“Our recent research found that one in four UK healthcare IT professionals do not feel confident in their organisation’s ability to defend against a cyber attack.
“In order for the NHS to effectively defend against cyber crime; IT teams need to carry out regular overviews of their systems, making sure they identify all vulnerable systems, efficient processes for identifying and remediating weaknesses, and have the ability to recognise malicious activity across their network.
“It is also vital that all trusts have a plan in place to deal with a cyber attack relative; external communication to the public and ransom demands are very much a part of this.
“Minimising disruption is key to ensuring that organisations can continue providing essential services to patients.”
Raj Samani, chief scientist and fellow at McAfee, added: “With the great havoc to be reaped by disrupting essential services using ransomware, as well as the mass of sensitive data to be stolen, health and care organisations remain a popular target for cyber criminals.
“This threat is exacerbated by the race for the sector to become more efficient through the digitisation of many processes.
With the great havoc to be reaped by disrupting essential services using ransomware, as well as the mass of sensitive data to be stolen, health and care organisations remain a popular target for cyber criminals
“As this news shows, due to the severe and rapidly-evolving threat it faces; it is hard for the NHS to update its security processes fast enough.
“However, the healthcare industry cannot accept defeat. Instead, it must work with security vendors and other public-sector organisations to share resources and threat intelligence to more effectively combat the growing rate of cyber crime.
“Only once this in place can organisations take a more-strategic approach to their defences and bring us one step closer to finding those responsible.”