NHS trusts still failing to meet ‘high bar’ standards on cyber security
ALL 200 NHS trusts assessed for cyber security vulnerabilities have failed to meet the standard required, MPS have heard.
In a hearing on the Wannacry attack that crippled parts of the health service last year, Rob Shaw, the NHS Digital deputy chief executive, said the results of the assessments did not mean the trusts had failed to take any action to boost cyber security.
He said the standards set out by Dame Fiona Caldicott, the National Data Guardian, represented a “high bar” and that it was a big effort to meet it, given the complexity of the NHS.
The Wannacry attack that began on May 12 is believed to have infected machines at 81 health trusts across England – a third of the 236 total, plus computers at almost 600 GP surgeries, according to a National Audit Office report released in October. The National Cyber Security Centre has assessed it was “highly likely” the attack was carried out by a shadowy North Korea cyber organisation known as the Lazarus Group.
Mr Shaw said trusts were still failing to meet cyber security standards, admitting some had a “considerable amount” of work to do, although others were “on the journey” to meet requirements. He told the Commons Public Accounts Committee: “We have now completed 200 on-site assessments. The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against, as per the recommendation in Dame Fiona’s report, is quite a high bar.
“So some have failed purely on patching, which was the vulnerability around Wannacry.”