Even after the devastating effects of the WannaCry ransomware attack in 2017, all of the NHS trusts that have completed cybersecurity assessments have failed.
Department of Health officials have said that every single one of the 200 trusts had failed the test, even after security measures and practices had been enhanced.
This may not come as a surprise given the ease with which WannaCry took a hold of the NHS last year, having failed to patch an already outdated Windows operating system that is specially maintained by the provider for its use.
Raj Samani, Chief Scientist and Fellow at McAfee, said: “As this news shows, due to the severe and rapidly evolving threat it faces, it is hard for the NHS to update its security processes fast enough. However, the healthcare industry cannot accept defeat. Instead, it must work with security vendors and other public sector organisations to share resources and threat intelligence to more effectively combat the growing rate of cybercrime. Only once this is in place can organisations take a more strategic approach to their defences and bring us one step closer to finding those responsible.”
Rob Shaw, the NHS Digital deputy chief executive commented on the significant amount of work the organisation has yet to do to meet suitable standards to handle the threats posed by today’s threat landscape.
Rob Bolton, Technology Director and GM for Western Europe, Infoblox, said: “The NHS is currently facing a number of challenges. Not only is it being called upon to modernise, reform and improve services to meet the needs of ever more complex, instantaneous patient demands, it is also facing an ever mounting threat from cybercriminals operating in groups that are much more agile than the NHS itself. This spans not only technological environments, but processes and the people that have access.”
Healthcare globally is proving an extremely slow moving target for hackers, with multitudes of entry points that can be leveraged and a lack of sophisticated cybersecurity. As reported by the Guardian, Simon Stevens, the chief executive of NHS England, said in a meeting: “A whole bunch of things need to change.”
Dr Anton Grashion, manager – security practice at Cylance, said “Although it was a relatively small data set from which to assess the security expertise of a territory, some of the problem boils down to increasing complexity both in threat landscape and the complexity of building the countermeasures. Using the example of the NHS and WannaCry; if the malware had been stopped before it detonated, much of the knock on effect would have been avoided.”