NHS Trusts Failed Cyber Security Assessment

Uploaded on 2018-02-09 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare, TECHNOLOGY--Resilience

Every single one of the 200 British NHS trusts so far assessed for cyber security resilience has failed an onsite assessment, MPs on the Public Accounts Committee were told on 5th February.

There are, a total of 236 trusts and there is no timeline on when the remaining thirty-six will be checked over.

In a hearing about the WannaCry incident last June, entitled "Cyber-attack on the NHS", Rob Shaw, deputy chief exec of NHS Digital, denied it was the case that those bodies who didn't get a passing grade had not done anything over cyber security.
He said: "The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against... is quite a high bar. Some of them have failed purely on patching, which is what the vulnerability was around Wannacry."

He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey to meeting that requirement."

Shaw said NHS Digital "may want to consider whether to re-inspect those at the highest risk, now we have the additional funding."

Will Smart, chief information officer at NHS Improvement, said that since the incident £21m has been invested in improved cybersecurity, while another £150m has been identified to improve national systems and resilience over the next two years.
He said "further re-prioritisation and additional investment for cyber-security is being considered". Smart declined to say how many organisations were still at high risk, citing security concerns. However, he said it was those organisations who had not been affected by WannaCry but were complacent about their practices that were the ones he was "most worried about".

Smart published a review recently setting out 22 recommendations of the lessons learned around WannaCry. He told MPs having appropriate standards in place across the NHS to enhance resilience and appropriate governance in place to prevent it from happening again were his "top priorities".
In October, the National Audit Office said the NHS could have fended off WannaCry "if only it had taken simple steps to protect its computers", but failed to heed warnings from CareCert about falling victim to a cyber-attack a full year before that incident happened.

Chris Wormald, Permanent Secretary at the Department of Health, said a national response strategy was due to be tested in response to a cyber-attack, but said the incident occurred before the NHS had a chance to trial it.
Before the WannaCry attack, the Department of Health had work underway to strengthen centralised cyber-security in the NHS.

NHS Digital's CareCERT has a system for broadcasting alerts about cyber threats, providing a hotline for dealing with incidents, sharing best practice and carrying out on-site assessments to help protect against future cyber-attacks.

NHS England had embedded the 10 Data Security Standards in the standard NHS contract for 2017-18 and was providing training to its Board and local teams to raise awareness of cyber threats, it said. 

The Register:

You Might Also Read:

Massive Breach: 3m Healthcare Records Compromised:

British NHS Sure To Be Hit By More Cyber Attacks

UK Health Service Should Have Prevented WannaCry Attack:

 

« Cybersecurity Salaries 7% Up In 2018
Hackers Strike Winter Olympics »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Internet Security Alliance (ISA)

Internet Security Alliance (ISA)

ISA is an international trade association providing thought leadership in advancing a sustainable system of cyber security.

maCERT

maCERT

maCERT is the national Computer Emergency Response Team for Morocco.

Hague Security Delta (HSD)

Hague Security Delta (HSD)

The Hague Security Delta Campus is home of the leading cyber security cluster in Europe with an Innovation Centre, labs and training facilities.

SGCyberSecurity

SGCyberSecurity

SGCyberSecurity is Singapore's No.1 Cyber Security portal. From this platform, you will be able to find useful articles, resources and connect with the security companies for your business needs.

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

ACPL Systems

ACPL Systems

We offer leading-edge technology solutions, expert professional and managed services and proven methodologies to ensure your data is protected and business risks are reduced.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

ANSEC IA

ANSEC IA

ANSEC is a consultancy practice providing independent Information Assurance and IT Security focussed services to customers throughout the UK, Ireland and internationally.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Rootly

Rootly

Rootly is an incident management platform on Slack that helps automate manual admin work during incidents.

Digital Encode

Digital Encode

Digital Encode is a leading consulting and integration firm that specializes in the design, management, and security of business-critical networks, telecommunications, and IT infrastructures.