Over nine months have passed since the destructive WannaCry ransomware attacks disrupted operations at hundreds of NHS trusts and GP clinics across the UK, yet an overwhelming number of such trusts continue to remain vulnerable to similar cyber attacks.
The Department of Health recently revealed that as many as 200 NHS Trusts have failed to meet cyber security standards that are essential for them to defend against sophisticated cyber attacks in the future.
While addressing the public accounts committee at the House of Commons, Rob Shaw, deputy chief executive at NHS Digital, said that every single NHS Trust which the Department of Health had assessed had failed to meet essential cyber security standards set out by Dame Fiona Caldicott, the national data guardian. He added that some of the Trusts have a considerable amount of work to do in order to comply with the standards.
‘The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry,’ he said.
The ‘standards’ he spoke about were set out by Dame Fiona Caldicott in a report titled ‘Review of Data Security, Consent and Opt-Outs‘ which was published in July 2016. The report proposed ten data security standards which the government was asked to implement in order to secure NHS Trusts and hospitals from cyber attacks.
Among other things, the report asked trusts to make security control as high a priority as financial control and recommended improved cyber security, embedding data protection in financial contracts and harsher sanctions for malicious data breaches.
‘The leadership of every organisation should demonstrate clear ownership and responsibility for data security, just as it does for clinical and financial management and accountability. People’s confidential data should be treated with the same respect as their care,’ the report said.
To implement the report’s recommendations, the government announced an investment of £21 million last year to boost cyber-resilience of 27 NHS trauma centres as an ‘immediate priority’. At the same time, the government said it would invest a total of £50 million to address key structural weaknesses in the health and care system.
The government directed NHS Digital to use these funds to support new data security standards and to introduce health and care organisations to tools that can identify potential vulnerabilities. The government also pledged to work with NHS institutions to assess whether existing frameworks like Cyber Essentials Plus and ISO2700 will meet their particular needs.
In October, NHS England also announced new 2017/18 Data Security and Protection Requirements to help healthcare organisations in the UK prepare for a new assurance framework coming into place from April 2018.
Despite such efforts, NHS Trusts continue to lag behind in terms of implementing appropriate security measures or to ensure compliance with the upcoming Data Protection Law. It remains to be seen if the rap from the Department of Health will accelerate their efforts to ensure compliance with Dame Fiona Caldicott’s recommendations in the coming days.
“The NHS Trust must make serious changes in their approach to cyber defence. There can be no excuses for falling short of cyber-security standards when you’re holding valuable data and are in control of critical healthcare systems. Only innovative technology is able to keep up with ever-changing methods by hackers, unlike anti-virus which is just not working,” noted Greg Sim, CEO at Glasswall Solutions.
‘The NHS is currently facing a number of challenges. Not only is it being called upon to modernise, reform and improve services to meet the needs of ever more complex, instantaneous patient demands, it is also facing an ever mounting threat from cybercriminals operating in groups that are much more agile than the NHS itself. This spans not only technological environments, but processes and the people that have access,’ says Rob Bolton, Technology Director and GM for Western Europe at Infoblox.
‘Because of this, it is not really a surprise that NHS trusts are struggling to pass cybersecurity tests. Our recent research found that 1 in 4 UK healthcare IT professionals do not feel confident in their organisation’s ability to defend against a cyberattack.
‘In order for the NHS to effectively defend against cybercrime, IT teams need to carry out regular overviews of their systems, making sure they identify all vulnerable systems, efficient processes for identifying and remediating weaknesses, and have the ability to recognise malicious activity across their network.
‘It is also vital that all trusts have a plan in place to deal with a cyberattack relative; external communication to the public and ransom demands are very much a part of this. Minimising disruption is key to ensuring that organisations can continue providing essential services to patients,’ he adds.