Passwords leave NHS open to cyber attacks
NHS hospitals are at risk of further cyber attacks because staff are using weak passwords, a report reveals.
Health chiefs warned that one in four official user accounts granting access to sensitive patient data and vital systems are inadequately protected, while many organisations are failing to update their security software.
Around 10 per cent of administrator accounts, used by those who oversee IT systems, also used weak passwords. The briefing by NHS Digital emerged three months after the global Wannacry attack, which pitched the health service into chaos.
Outdated software and a widespread failure to update security packages were blamed for the crisis that saw the cancellation of more than 15,000 operations and appointments.
The report was based on assessment of 64 NHS organisations, ranging from hospitals and GP surgeries to specialist IT infrastructure units, undertaken before the May attack. It found that in “practically all” organisations, members of staff could access a wealth of patient data, backup files and passwords. The survey also revealed that 17 per cent of active accounts had been unused in the previous 12 months, indicating accounts were not being deactivated when some left.
NHS Digital warned there is a widespread “false sense of security” in the NHS.
Chris Flynn, the security operations lead at the organisation, said: “These figures were collated before the Wannacry issue and we know many organisations have made improvements in all of these areas since this time.”
Since Wannacry, the Gvernment has imposed more control and oversight of NHS data security, including forcing health chiefs to prove they are protecting their organisation’s data. NHS Digital confirmed this week that a contract had been signed with Microsoft to run a cyber threats detection service for the NHS.