Every NHS Trust has failed to meet the recommended data security standards, a parliamentary committee has heard.
NHS Digital deputy chief executive Rob Shaw told a Public Accounts Committee hearing that his agency had completed 200 on-site assessments, and no Trusts had managed to meet the recommendations set out by Fiona Caldicott.
The national data guardian for health and care set out 10 data security standards, confirmed by the government in July 2017.
These include accreditation to the government-backed Cyber Essentials Plus scheme, which aims to improve baseline security with a series of best practice steps organizations can take. Unlike the regular Cyber Essentials scheme it requires a third-party assessment.
The requirements include basic steps to help mitigate the risk of phishing, hacking, password-guessing and more. It covers five technical control areas: firewalls; secure configuration; access controls; malware protection; and patch management.
However, Shaw suggested that even this was too high a standard for the NHS Trusts that were assessed.
“The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar,” he told the committee. “So some of them have failed purely on patching which is what the vulnerability was around WannaCry.”
The committee was holding an inquiry into the ransomware outbreak which is said to have led to an estimated 19,000 cancelled appointments and operations. It could have been wholly prevented if NHS organizations had patched the Windows vulnerability they were told to two months earlier.
Neil Haskins, director of advisory services at pen testing firm IOActive, described the news as “shocking.”
“Unfortunately, the NHS is more used to treating the symptoms of its patients, rather than causes of disease, and the same could be said for its approach to cybersecurity. In almost all cases in cybersecurity, however, by the time symptoms appear, it is too late,” he told Infosecurity.
“In the wake of WannaCry, if you were waiting for a life-saving operation, it may have been cancelled. If you were in a car crash, the ambulance may have been diverted 40 miles away. Forget your run-of-the-mill breach, where data and trust is all that’s lost. WannaCry was a genuine loss-of-life cyber-event, all because Windows 7 wasn’t patched. Is that acceptable for an organization, trusted with the care and well-being of you and your loved ones?”
He argued that the NHS and other organizations need to move away from a tick-box approach to cybersecurity to one where vulnerabilities are continuously being spotted and mitigated.
“Cyber and information security is not an IT issue, it’s a business one. As such, the NHS should absolutely be focused on having skilled experts providing actionable intelligence, enabling them to make business decisions based on risk, impact and likelihood,” Haskins concluded.
“Action should be taken on this advice, driven from the top down.”