In an astonishing admission, Department of Health (DoH) officials have admitted that every single NHS trust in the UK has failed to meet cyber-security standards.
A parliamentary hearing to tackle the fallout from the WannaCry attacks last year has been told that none of the 200 NHS trusts in the UK has passed a cyber-security vulnerability assessment.
National Data Guardian for Health and Care Fiona Caldicott set out 10 data security standards in July 2017, including accreditation to the government-backed Cyber Essentials Plus scheme, as well as other basic best practice steps designed to mitigate phishing, hacking and password leaks. The requirements cover five technical control areas: firewalls, malware protection, access controls, secure configuration and last but not least patch management.
However, Rob Shaw, the NHS Digital deputy chief executive, said trusts were still failing to meet cyber-security standards, and said that there was still a “considerable amount” of work to do.
“The amount of effort it takes from NHS Providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott's report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry,” he told the Commons' public accounts committee.
WannaCry ransomware infections resulted in an estimated 19,000 cancelled appointments and operations across the UK NHS alone, and spread chaos worldwide.
Javvad Malik, security advocate, AlienVault, told SC Media UK that patching in a huge organisation such as the NHS is not a simple target: “Keeping up to date with the latest security patches and OS updates forms a fundamental part of a security programme. However, in some instances, such as with organisations like the NHS, the number of legacy systems and interconnected networks make regular patching a challenge. Many systems will be running custom code, or legacy systems which are liable to break if all patches were applied without fully testing, or involving some development. As a result, patches get delayed more and more. Fixing the issue is not as easy as simply upgrading systems, rather it's a fundamental architecture issue on a network that has grown over the years.”
He continued: “That's not to say though that alternative security controls can't be put in place. Having good monitoring and threat detection in place can help identify where malicious activity may be occurring on the network and it can be blocked before it can impact core systems. Similarly, the use of threat intelligence on attacker groups and their attack tools can help prepare organisations like the NHS to proactively search for attacks in advance and take steps to protect its infrastructure.”
Of course, the NHS is increasingly under budgetary pressures, which are often seen as a contributory factor to lowered security standards. However, Lee Munson, security researcher, Comparitech.com, pointed out that a comprehensive approach to security was essential: “While funding is certainly the biggest issue, the Department of Health simply throwing money at the problem was never going to be the right approach.
“The top-level management within NHS trusts need to employ extremely competent and experienced security leaders to identify the risks that are faced, define the appropriate strategies to deal with all of those risks that cannot be accepted under any circumstances, and to put in place policies and procedures that mitigate the attack surface overall. Only then can the correct security personal and hardware assets be deployed in a manner that limits risk to the best possible level within the confines of extremely limited resources”, he told SC Media UK.