NHS Trusts Fail Government Cybersecurity Tests

Only one of hundreds of NHS trusts has passed the government-backed Cyber Essentials Plus assessment, according to a concerning new report from the National Audit Office (NAO).

Of the 204 trusts with on-site assessments in place, the average score was 63%, according to a new report from the NAO on digital transformation in the health service.

Although this is an increase from an estimated 50% in 2017, trusts require a 100% pass rate. The scheme tests areas such as vulnerability management, access controls, end-user devices, servers and network security.

“NHSX and NHS Digital consider some trusts have reached an acceptable standard, even though they did not score 100% in the assessment, and note there has been a general improvement in cybersecurity across the NHS,” the NAO explained.

“However, while some attempts have been made to address underlying cybersecurity issues, and progress has been made, it remains an area of concern. A 2019 survey of 186 IT leaders across the sector showed that 61% considered cybersecurity one of their top priorities (sixth highest priority overall).”

The NAO expressed particular concerns over legacy systems in the NHS, although it claimed that since the 2017 WannaCry incident a Windows 10 licensing agreement has been reached which should partly address this. A Data Security Centre was also launched to help prevent, detect and respond to cyber-attacks.

The NAO’s report on the ransomware worm laid the blame on systemic failures at the NHS and Department of Health. Although NHS Digital issued, in March and April 2017, critical alerts to patch the flaws which were ultimately exposed by WannaCry, there was no formal mechanism for checking whether trusts had complied, it found.

Incident response plans were also found not to have been tested at a local level, meaning some trusts couldn’t communicate with national bodies when the ransomware struck.

Around a third of trusts were disrupted due to the cyber-attack, with an estimated 19,000 appointments and operations cancelled. It’s calculated to have cost the NHS £92m, mainly in emergency IT support.

What’s Hot on Infosecurity Magazine?