NHS cyber defences ‘still vulnerable’ as UK rebuffs record number of attacks
An assessment of National Health Service trusts has found that none of them meet the required cyber security standards.
In a hearing on the WannaCry attack that crippled parts of the health service last year, NHS Digital deputy chief executive Rob Shaw said the results of the assessments do not mean the trusts had failed to take any action to boost cyber security.
He said the standards set out by National Data Guardian Dame Fiona Caldicott represent a “high bar” and that it is a big effort to meet it given the complexity of the NHS.
But he said that while some trusts are “on the journey” to meeting the requirements, others still have a “considerable amount” of work to do.
The WannaCry attack that began on 12 May 2017 is believed to have infected machines at 81 health trusts across England - a third of the 236 total, plus computers at almost 600 GP surgeries, according to a National Audit Office (NAO) report released in October.
The attack was so bad that the chances of serious patient care incidents occurring increased considerably.
The National Cyber Security Centre has assessed it was “highly likely” the attack was carried out by the shadowy North Korean cyber organisation known as the Lazarus Group.
Figures released recently by the National Cyber Security Centre showed that Britain's cyber defences are repelling millions of attacks every month as criminals pump out huge numbers of fake government websites and emails.
4.5 million malicious emails purporting to be sent from government or public sector bodies were being blocked each month on average - or 54 million a year.
A breakdown of agencies featuring in the most fake emails shows criminals are persistently trying to spoof local councils, as well as national organisations such as the NHS and HMRC.
“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar,” Shaw said.
“So some of them have failed purely on patching, which is what the vulnerability was around WannaCry.
“I always take it better to have information to know where your vulnerabilities are so that you can do something about it rather than hope that you will be okay when you do get an attack.
“So these vulnerability reports go back to the trusts and their trust boards to be able to work out how they can then do mitigation.
“Some need to do quite a considerable amount of work but a number of them are already on the journey that will take them towards meeting that requirement.
“One of the things we may want to consider and it’s something now that we’ve got the additional funding available is whether we should go back and reinspect some of those where there’s the highest risk in order to provide ourselves with the assurance that we’re going in the right direction.”
Last month the government warned companies behind Britain’s most critical industries to boost cyber security or face hefty fines for leaving themselves vulnerable to attack.