show image

NHS Digital is set to launch a £20m security unit run by white hat hackers

NHS Digital has pledged to pay white hat hackers £20m to create and deliver a new cyber security unit.

Under the plans, security experts will attempt to find and fix vulnerabilities in NHS IT systems before criminals strike.

“The partnership will provide access to extra specialist resources during peak periods and enable the team to proactively monitor the web for security threats and emerging vulnerabilities,” NHS Digital said.

NHS staff were left reeling in May after WannaCry ransomware swept through hospitals across England. A National Audit Office report published in October found that the attack led to the cancellation of an estimated 19,500 appointments.

“[The unit] will also allow us to improve our capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software and will improve our ability to anticipate future vulnerabilities while supporting health and care in remediating known threats,” NHS Digital added.

Trevor Luker, director of security operations and threat intelligence at Mimecast, welcomed the news, saying the NHS should be able to get something working “quite quickly”. But he warned NHS trusts against using the unit as an excuse to under-invest in their own security systems.

“The risk is that if the trusts have a central resource like this that they might de-skill their local resource pool to save on regional budgets,” he said. “This in turn could lead to slower response to an incident, so in fact making the problem worse.”

In the wake of WannaCry, the government pledged to spend £50m on improving cyber security and patient data in the NHS, which includes the creation of a £21m fund for the UK’s 27 major trauma centres.

David Evans, the Chartered Institute for IT’s policy director, questioned the logic in providing extra cyber security funding for major trauma centres, but not for the rest of the NHS’s 240 trusts.

“The additional funding will be welcomed by NHS CIOs at major trauma sites, but the rest will have to consider cuts to other areas of budgets to shore up cyber security,” he said.