NHS still fails to meet cyber security requirements

By Benny Mansfield

Report shows that the NHS still fails to meet cyber security requirements

On Friday 12th May 2017 a global ransomware attack, known as Wannacry, affected more than 200,000 computers in over 100 countries.

Here in the UK, the NHS was particularly affected with around 80 of 236 trusts across England suffering disruption. WannaCry also infected 603 NHS organisations including 595 GP practices.

At 4pm on the same day, NHS England declared the cyber-attack a major incident and implemented its emergency arrangements to maintain health and patient care.

Fast-forward 12 months and it appears that the NHS still isn’t up to scratch with their cybersecurity.

A report by the Government’s Public Accounts Committee (PAC) said that the NHS had assessed the cyber security level of 200 trusts. But disappointingly, not one passed – in some cases because they had failed to apply critical patches to their systems, which was the main reason why the NHS was vulnerable to WannaCry in the first place.

Committee Chair, Meg Hillier MP said:

“The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.”

“I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment”

“Meanwhile, this case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”

New funding

Immediately after the WannaCry attack, the department reprioritised £21m in funding to address key vulnerabilities in major trauma centres and ambulance trusts, while a further £25m was allocated for 2017/18 to support organisations most vulnerable to cyber security risks.

The report recommended the Department of Health should provide an update by June on its national estimate of the cost to the NHS of WannaCry and how national bodies should target investment appropriately in line with service and financial risks.

While this report is concerning, it also shows us just how important it is that organisations take their cyber security seriously. If a cyber-attack could cripple the NHS like it did last year and cause ripples that are lasting far longer than the initial breach, imagine what it could do to your business!

If you have any concerns about your cyber-security, all you have to do it ask us.