NHS rejects security plans as too expensive
NHS chiefs look set to reject its own proposals to boost cybersecurity because the £1bn bill is too expensive.
A report published in February recommended a “minimum bar” for security that all health organisations must meet by June 2021.
It was commissioned by the Government in response to the Wannacry ransomware attack in May 2017, which affected 81 NHS trusts, leading to thousands of cancelled operations, postponed appointments and diverted ambulances.
The report’s author, NHS chief information officer Will Smart, wrote that the service must be “equipped to withstand and respond to cyber attacks in an effective manner which minimises disruption to services and impact on our patients”.
His recommendations, estimated to cost between £800m and £1bn, were backed by the National Cyber Security Centre. But NHS Digital – which maintains IT systems in the service– said getting all health providers to meet the new standards wouldn’t be “value for money”.
Its assessment was revealed by the Health Service Journal in a Freedom of Information request. Papers released also showed that the NHS comes under continuous attack. In April alone several scam NHS websites were uncovered.
The Department of Health didn’t comment directly on NHS Digital’s position, saying instead that “every part of the NHS must be clear that it has learned the lessons of Wannacry”.
A spokesman added: “We plan to spend a further £150 million over the next two years to improve resilience, including setting up a new National Secure Operations Centre to boost our ability to prevent, detect and respond to incidents”.