NHS Cybersecurity: Breaches Up, Spending Low

A new Freedom of Information (FoI) request has uncovered a litany of cybersecurity failings by NHS trusts across the UK.

Sky News received responses from 97 trusts and found data breaches in the health service had risen from 3133 in 2014 to 4177 last year.

What’s more, the average annual amount spent on cybersecurity was just £23,000, although six trusts claimed to fork out over £100,000.

More worrying is the fact that 45 trusts were unable to put a figure on spending at all, while seven trusts serving more than two million people spent nothing at all in 2015, the report claimed.

The news site engaged consultancy Hacker House to do some digging and claimed to have found that “security across the board was weak for many factors.”

This included out of date SSLs and software and misconfigured email servers – all discoverable via public searches.

The news follows an FoI request in August which revealed that nearly half (47%) of the 67 trusts which replied had suffered a ransomware attack in the past year.

Just a few weeks ago North Lincolnshire and Goole Trust was forced to cancel operations and move high risk patients elsewhere after suffering what’s believed to be a ransomware attack, forcing IT systems offline for days.

Jeannie Warner, security manager at WhiteHat Security, explained that digital health records are a potential money-maker for cyber-criminals on the darknet.

“One of the key vectors targeted by hackers looking to steal data is web applications; roughly 40% of all data breaches occur at this level,” she added.

“When researchers at WhiteHat Security evaluated a large number of healthcare websites, they found that, on average, each site exhibited 12 different software vulnerabilities. To make matters worse, it takes these organizations an average of 208 days to implement a fix for an identified vulnerability."

Stricter regulations enforcing minimum security requirements would improve matters, Warner concluded.

Veracode senior director, Tim Jarrett, added that as the NHS goes paperless it must implement stricter security controls such as encryption and application testing.

What’s Hot on Infosecurity Magazine?