NHS Trusts Failed Cyber Security Assessment

Every single one of the 200 British NHS trusts so far assessed for cyber security resilience has failed an onsite assessment, MPs on the Public Accounts Committee were told on 5th February.

There are, a total of 236 trusts and there is no timeline on when the remaining thirty-six will be checked over.

In a hearing about the WannaCry incident last June, entitled "Cyber-attack on the NHS", Rob Shaw, deputy chief exec of NHS Digital, denied it was the case that those bodies who didn't get a passing grade had not done anything over cyber security.
He said: "The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against... is quite a high bar. Some of them have failed purely on patching, which is what the vulnerability was around Wannacry."

He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey to meeting that requirement."

Shaw said NHS Digital "may want to consider whether to re-inspect those at the highest risk, now we have the additional funding."

Will Smart, chief information officer at NHS Improvement, said that since the incident £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.
He said "further re-prioritisation and additional investment for cyber-security is being considered". Smart declined to say how many organisations were still at high risk, citing security concerns. However, he said it was those organisations who had not been affected by WannaCry but were complacent about their practices that were the ones he was "most worried about".

Smart published a review recently setting out 22 recommendations of the lessons learned around WannaCry. He told MPs having appropriate standards in place across the NHS to enhance resilience and appropriate governance in place to prevent it from happening again were his "top priorities".
In October, the National Audit Office said the NHS could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings from CareCert about falling victim to a cyber-attack a full year before that incident happened.

Chris Wormald, Permanent Secretary at the Department of Health, said a national response strategy was due to be tested in response to a cyber-attack, but said the incident occurred before the NHS had a chance to trial it.
Before the WannaCry attack, the Department of Health had work underway to strengthen centralised cyber-security in the NHS.

NHS Digital's CareCERT has a system for broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber-attacks.

NHS England had embedded the 10 Data Security Standards in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats, it said. 

The Register:

You Might Also Read:

Massive Breach: 3m Healthcare Records Compromised:

British NHS Sure To Be Hit By More Cyber Attacks

UK Health Service Should Have Prevented WannaCry Attack:

 

« Cybersecurity Salaries 7% Up In 2018
Hackers Strike Winter Olympics »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Wisegate

Wisegate

Wisegate is a community of IT experts providing advisory services on all areas of IT including security.

Information Security Research Association (ISRA)

Information Security Research Association (ISRA)

ISRA is a non-profit organization focused on various aspects of Information Security including security research and cyber security awareness activities.

Datiphy

Datiphy

Datiphy's data-centric security platform uses behavioral analytics, and data-centric auditing and protection capabilities to mitigate risk.

Arcanum Information Security (AIS)

Arcanum Information Security (AIS)

Arcanum Information Security is a specialist Information Assurance Consultancy and a leading provider of Cyber Security services to UK Defence, UK Government, Enterprise businesses and SMEs.

Red Alert Labs

Red Alert Labs

Red Alert Labs is an IoT security provider. We created an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.

Ultratec

Ultratec

Ultratec provide a range of data centric services and solutions including data recovery, data erasure, data destruction and full IT Asset Disposal (ITAD).

CyberCX

CyberCX

CyberCX provides services from strategic consulting, security testing and training to world-class managed services and engineering solutions.

ANSEC IA

ANSEC IA

ANSEC is a consultancy practice providing independent Information Assurance and IT Security focussed services to customers throughout the UK, Ireland and internationally.

HB-Technologies

HB-Technologies

HB-Technologies is pioneer in Africa, in digital security, embedded electronic and IT solutions based on highly secure smart cards that comply with international standards and norms.

MetaCert

MetaCert

MetaCert’s Zero Trust browser software reduces the risk of organizations being compromised with a phishing-led cyberattack by more than 98%.

BugDazz

BugDazz

BugDazz pentest as a service (PTaaS) platform helps bringing in real-time results, detail coverage, & easy remediation workflows with compliance-ready reports.

Wisetek

Wisetek

Wisetek is a global provider of end-to-end IT Asset Disposition (ITAD), reuse and secure data destruction management services to the world’s leading IT Corporations, data centres and manufacturers.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

CyberMaxx

CyberMaxx

At CyberMaxx, our approach to cybersecurity provides end-to-end coverage for our customers – we use offense to fuel defense.

TetherView

TetherView

TetherView provides leading virtual desktop and email security technology to help businesses stand up and manage digital workspaces.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.