200 NHS Trusts assessed for cyber security vulnerabilities have failed to achieve the basic security recommendations, a Public Accounts Committee has heard.
Addressing MPs at the ‘Cyber-attack on the NHS’ hearing, Rob Shaw, deputy chief executive of NHS Digital, discussed the results of assessments of 200 of the 236 NHS Trusts in England and Wales. In every case, the Trusts failed to achieve a passing grade.
Defending the Trusts, Shaw said: “Some of them need to do a considerable amount of work, but a number of them are on a journey [to] meeting that requirement.”
Shaw continued: “The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry.”
Shaw added NHS Digital “may want to consider whether to reinspect those at the highest risk”.
“Lessons learned” from WannaCry
The hearing, which addressed the WannaCry ransomware attack of last June, comes just days after Will Smart, chief information officer for Health and Social Care, released his review of the attack: Lessons learned review of the WannaCry Ransomware Cyber Attack.
Smart considers key messages from the NHS’s internal assessments and two national reviews to make 22 recommendations for improving defences against cyber threats in health and social care. The first of these recommendations suggests all organisations achieve “compliance with the Cyber Essentials Plus standard by June 2021, as recommended by the NCSC”.
Achieving basic data security standards
Cyber Essentials Plus, the scheme recommended by the Caldicott review and Smart review, provides five basic security controls that, according to the UK government, could prevent “around 80% of cyber attacks”. The scheme also provides an assurance mechanism for organisations to demonstrate to customers and suppliers that security standards have been met.
Properly implemented cyber security has the additional advantage of driving business efficiency throughout the organisation, saving money and improving productivity.
Achieving certification will also help organisations address other compliance requirements, such as the EU General Data Protection Regulation.
IT Governance is the leading CREST-accredited certification body, and has helped both NHS and healthcare industry partners to achieve certification.