dp@pic - Fotolia

Most NHS trusts have failed their cyber security assessments, NHS Digital admits

NHS Digital deputy CEO Rob Shaw told Public Accounts Committee all 200 trusts assessed for cyber security, both before and after the WannaCry attack, have failed their assessments

All 200 NHS trusts that have been assessed for cyber security resilience failed their assessments, according to NHS Digital deputy CEO Rob Shaw.

Speaking at a Public Accounts Committee (PAC) hearing on the WannaCry cyber attack on the NHS yesterday (5 February), Shaw said some trusts still have a long way to go before meeting the official cyber security requirements.

The assessments are part of national data guardian Fiona Caldicott’s review of NHS data security, which was published in July 2016 and sets out a series of recommendations and standards around security in the NHS.  

Ahead of the WannaCry attack, which although not specifically targeted at the NHS, hit the health service particularly hard, 88 trusts had been assessed, and had all failed.

The WannaCry attack affected 80 hospital trusts – one-third of all trusts in England. More than 600 primary care organisations were also affected.

Shaw said that 200 trusts, out of a total of 236, have been assessed so far. “We have now completed 200 on-side assessments,” he said. “All trusts have still failed.” He added that there are “reasons for that, so this isn’t a case of all the trusts have done nothing around cyber security.”

“The amount of effort it takes from NHS providers in such a complex estate to reach the cyber essentials plus standard that we assess against per the recommendations in Dame Fiona Caldicott’s report, is quite a high bar.” Shaw added that some of the trusts had “failed purely on patching”.

Read more about the NHS

One of the key reasons the NHS was affected so badly by the attack was the lack of patching of systems within trusts. None of the 80 trusts affected by the attack had applied the latest patch, despite being advised to do so by NHS Digital in April 2017.

A lessons learned report on the WannaCry attack, published last week, said it has become clear that more funding is needed to support cyber security investment across the NHS.

The government has already “reprioritised” £21m from the Personalised Health and Care 2020 programme, originally intended for ambulance trusts and trauma centres, and put it towards cyber preparedness for organisations. It has also identified a further £25m of capital funding for the 2017-18 financial year to be given to trusts that are non-compliant against NHS Digital’s CareCERT alerts, and so far, an initial £150m has been earmarked for cyber security.

Department of Health permanent secretary Chris Wormald, told the PAC hearing that although there is a national investment in cyber security, “individual trusts and other institutions in the NHS are responsible for their own cyber security and need to be investing their own money”.

The Care Quality Commission (CQC) will also complete a series of unannounced inspections between now and March in organisations where there are concerns around cyber security.

Read more on IT for government and public sector