NHS Trusts Failed Cyber Security Assessment

Every single one of the 200 British NHS trusts so far assessed for cyber security resilience has failed an onsite assessment, MPs on the Public Accounts Committee were told on 5th February.

There are, a total of 236 trusts and there is no timeline on when the remaining thirty-six will be checked over.

In a hearing about the WannaCry incident last June, entitled "Cyber-attack on the NHS", Rob Shaw, deputy chief exec of NHS Digital, denied it was the case that those bodies who didn't get a passing grade had not done anything over cyber security.
He said: "The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against... is quite a high bar. Some of them have failed purely on patching, which is what the vulnerability was around Wannacry."

He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey to meeting that requirement."

Shaw said NHS Digital "may want to consider whether to re-inspect those at the highest risk, now we have the additional funding."

Will Smart, chief information officer at NHS Improvement, said that since the incident £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.
He said "further re-prioritisation and additional investment for cyber-security is being considered". Smart declined to say how many organisations were still at high risk, citing security concerns. However, he said it was those organisations who had not been affected by WannaCry but were complacent about their practices that were the ones he was "most worried about".

Smart published a review recently setting out 22 recommendations of the lessons learned around WannaCry. He told MPs having appropriate standards in place across the NHS to enhance resilience and appropriate governance in place to prevent it from happening again were his "top priorities".
In October, the National Audit Office said the NHS could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings from CareCert about falling victim to a cyber-attack a full year before that incident happened.

Chris Wormald, Permanent Secretary at the Department of Health, said a national response strategy was due to be tested in response to a cyber-attack, but said the incident occurred before the NHS had a chance to trial it.
Before the WannaCry attack, the Department of Health had work underway to strengthen centralised cyber-security in the NHS.

NHS Digital's CareCERT has a system for broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber-attacks.

NHS England had embedded the 10 Data Security Standards in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats, it said. 

The Register:

You Might Also Read:

Massive Breach: 3m Healthcare Records Compromised:

British NHS Sure To Be Hit By More Cyber Attacks

UK Health Service Should Have Prevented WannaCry Attack:

 

« Cybersecurity Salaries 7% Up In 2018
Hackers Strike Winter Olympics »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Malwarebytes

Malwarebytes

Malwarebytes provides artificial intelligence-powered technology that stops cyberattacks before they can compromise computers and endpoints.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions is the manufacturer of the mobile device management solution Cortado MDM.

Red Hat

Red Hat

Red Hat is a leader in open source software development. Our software security team proactively identifies weaknesses before they become problems.

Kaseya

Kaseya

Kaseya is a premier provider of unified IT management and security software for managed service providers (MSPs) and small to medium-sized businesses (SMBS).

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

RIPS Technologies

RIPS Technologies

RIPS Technologies delivers automated security analysis for PHP applications as platform independent software or highly scalable cloud service.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

Privakey

Privakey

Transaction Intent Verification. Privakey delivers a secure channel to streamline high risk transactions, enabling digital trust between services and their users.

CyberCyte

CyberCyte

CyberCyte provides a disruptive built-in integrated physical, network and perimeter security solution framework.

Binary Security AS

Binary Security AS

Binary Security is a Norwegian information security consultancy company. We are specialists at application security, penetration testing and secure code reviews.

UnderDefense

UnderDefense

UnderDefense provides cyber resiliency consulting and technology-enabled services to anticipate, manage and defend against cyber threats.

Experis

Experis

Experis provide IT resourcing, project solutions and managed services. We enable organizations to cultivate individuals and teams prepared for the digital age.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

Maritime Cyber Threats Research Group - University of Plymouth

Maritime Cyber Threats Research Group - University of Plymouth

The Maritime Cyber Threats research group of the University of Plymouth is focused on investigating marine cyber threats and researching solutions.

Sansec

Sansec

Sansec is the global leader in eCommerce malware and vulnerability detection. We help you to stay ahead of hackers!

Inholo

Inholo

Inholo offers tools to manage the risks of synthetic realities, starting with an AI-photo detection service.