NHS Trusts Failed Cyber Security Assessment

Uploaded on 2018-02-09 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare, TECHNOLOGY--Resilience

Every single one of the 200 British NHS trusts so far assessed for cyber security resilience has failed an onsite assessment, MPs on the Public Accounts Committee were told on 5th February.

There are, a total of 236 trusts and there is no timeline on when the remaining thirty-six will be checked over.

In a hearing about the WannaCry incident last June, entitled "Cyber-attack on the NHS", Rob Shaw, deputy chief exec of NHS Digital, denied it was the case that those bodies who didn't get a passing grade had not done anything over cyber security.
He said: "The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against... is quite a high bar. Some of them have failed purely on patching, which is what the vulnerability was around Wannacry."

He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey to meeting that requirement."

Shaw said NHS Digital "may want to consider whether to re-inspect those at the highest risk, now we have the additional funding."

Will Smart, chief information officer at NHS Improvement, said that since the incident £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.
He said "further re-prioritisation and additional investment for cyber-security is being considered". Smart declined to say how many organisations were still at high risk, citing security concerns. However, he said it was those organisations who had not been affected by WannaCry but were complacent about their practices that were the ones he was "most worried about".

Smart published a review recently setting out 22 recommendations of the lessons learned around WannaCry. He told MPs having appropriate standards in place across the NHS to enhance resilience and appropriate governance in place to prevent it from happening again were his "top priorities".
In October, the National Audit Office said the NHS could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings from CareCert about falling victim to a cyber-attack a full year before that incident happened.

Chris Wormald, Permanent Secretary at the Department of Health, said a national response strategy was due to be tested in response to a cyber-attack, but said the incident occurred before the NHS had a chance to trial it.
Before the WannaCry attack, the Department of Health had work underway to strengthen centralised cyber-security in the NHS.

NHS Digital's CareCERT has a system for broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber-attacks.

NHS England had embedded the 10 Data Security Standards in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats, it said. 

The Register:

You Might Also Read:

Massive Breach: 3m Healthcare Records Compromised:

British NHS Sure To Be Hit By More Cyber Attacks

UK Health Service Should Have Prevented WannaCry Attack:

 

« Cybersecurity Salaries 7% Up In 2018
Hackers Strike Winter Olympics »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Navista

Navista

Navista's hardware and software modules are especially designed to ease the deployment of secure networks.

EclecticIQ

EclecticIQ

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services.

Jetico

Jetico

Jetico provides pure & simple data protection software for all sensitive information throughout the lifecycle. Solutions include data encryption and secure data erasure.

Ikarus Security Software

Ikarus Security Software

Ikarus focuses on antivirus and content-security solutions.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

NSW Cyber Security Innovation Node

NSW Cyber Security Innovation Node

NSW Cyber Security Innovation Node is part of a national network designed to foster and accelerate cyber capability and innovation across Australia.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Mindsight

Mindsight

Mindsight is a technology consulting firm with expertise from cybersecurity to cloud, disaster recovery to infrastructure, and collaboration to contact center.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.

Lighthouse IT

Lighthouse IT

At Lighthouse IT, we are focused on delivering seamless and reliable services to unlock the value of technology for your business.

Ethnos Cyber

Ethnos Cyber

Ethnos Cyber is Africa’s leading cybersecurity and compliance management company. We provide Information Security, Risk Management, Cybersecurity and Compliance Management solutions to clients.

SafeLiShare

SafeLiShare

SafeLiShare’s data security platform unifies encryption strategies for organizations with hybrid and multi-cloud infrastructures, ensuring data is secure regardless of its location.

PlanNet 21 Communications

PlanNet 21 Communications

PlanNet 21 Communications is Ireland most specialised technology solution provider.

Cybermindz

Cybermindz

Many cyber security professionals are under sustained and increasing stress. We set about providing direct support to restore and rebuild emotional and cognitive health.