Each of the 200 NHS trusts tested for cyber security resilience has failed the test, MPs were told yesterday.
Speaking to the Public Accounts Committee, NHS Digital’s Rob Shaw said that while some trusts are close to satisfying the requirements, others have a considerable amount of work still to do.
“The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against is quite a high bar,” he said. “Some of them have failed purely on patching, which is what the vulnerability was around Wannacry.”
The assessments began before the WannaCry attack paralysed parts of the NHS and thousands of other organisations in May last year. A further 36 trusts are yet to be assessed.
The “relatively unsophisticated” ransomware led to the cancellation of an estimated 19,500 appointments across 81 trusts in England, a National Audit Office’s (NAO) report revealed last year.
The report concluded that the strike could have been prevented if hospital trusts had taken basic steps to secure their IT systems.
Amyas Morse, head of the NAO, warned that “there are more sophisticated cyber attacks out there” and that the Department for Health and the NHS “need to get their act together”.
The report highlights that while the Department for Health had written to trusts in 2014 to urge them to update old software, it had no formal mechanism for checking that they had done so.
In the wake of WannaCry, the government has pledged to spend £50m on improving cyber security and patient data in the NHS, which includes the creation of a £21m fund for the UK’s 27 major trauma centres.
David Evans, the Chartered Institute for IT’s policy director, questioned the logic in providing extra cyber security funding for major trauma centres, but not for the rest of the NHS’s 240 trusts.
“The additional funding will be welcomed by NHS CIOs at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security,” he said.