View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Just 1 of the NHS’s 200+ Trusts Has a Clean Security Scorecard

"The average score across the trusts was 63 percent"

By CBR Staff Writer

A mere one of the NHS’s 200+ trusts has passed the government’s “Cyber Essentials Plus” test, according to a worrying new audit report.

The National Audit Office (NAO) report reveals that of the 204 trusts that had mandatory on-site cybersecurity inspections, only one got the full pass mark required for “Cyber Essentials Plus” accreditation.

See also: The UK’s Newly Streamlined “Cyber Essentials” 

To get the NCSC-backed certificate, organisations need a 100 percent pass mark against a range of security tests, including an external vulnerability assessment, an internal scan and an on-site assessment.

These check access control, firewall configurations and patch management processes, among a range of other factors.

Most trusts didn’t come close to a clean sheet.

NHS Trusts Cybersecurity Tests: Scores Ring Alarm Bells

“The average score across the trusts was 63 percent”, the NAO report, published late Friday, notes.

“However, NHSX and NHS Digital consider some trusts have reached an acceptable standard” it adds, saying that improvements have been made since the devastating 2017 WannaCry ransomware attack.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Security, however, “remains an area of concern.”

(Experts say the challenges of upgrading hardware still relying on legacy operational systems like XP, or software that is no longer produced/patched are huge in the NHS. Much of the affected equipment is vital to offering good healthcare and still functions perfectly well in a medical sense).

Interoperability Challenges Abound

The comments came as part of a broader investigation into the shape of NHS digitalisation.

The report also warns that the ambition to achieve IT systems and data interoperability  across the NHS “will be very challenging to fully achieve” in the absence of a “carefully considered plan with a realistic schedule”.

Previous attempt to implement standards, resulted in “the use of multiple standards or different versions of the same standard” it adds.

Computer Business Review is reminded of this XKCD cartoon…

The report also emphasised what the NAO sees as a “tension between the ambitions to achieve [inter-NHS trust] interoperability and the aim to increase the number of technology suppliers to the NHS.”

The comments came after policy makers moved to break the apparently stranglehold of just two IT suppliers on the GP systems market.

EMIS and TPP, it says, supplied around 95 percent of the GP market, in part owing to a procurement framework (“the GP Systems of Choice”) that meant buyers looking to update GPs’ clinical IT systems had the choice of just four IT systems that would then be funded by clinical commissioning groups.

That has now been replaced by a new framework (“GP IT Futures“) designed to offer more options for CIOs and their procurement teams. This includes 69 suppliers including seven offering core GP IT systems.

“NHSX and NHS Digital intend to use contractual frameworks to ensure all technology suppliers meet standards that will allow interoperability between IT systems, the National Audit Office notes, saying that “increasing the number of suppliers could make interoperability more difficult to achieve because there will be more system-to-system integrations required.”

The report’s authors add: “NHSX intends to address this problem by asking local organisations to build a ‘data layer’ to support data access and exchange across different systems (with the intention that these layers will eventually be linked). However, NHSX has not yet defined what work is needed to achieve this; our previous work shows that other parts of government found similar approaches to be expensive and problematic.

Among the other NAO concerns about NHS digitalisation are:

That NHSX — the organisation tasked with driving NHS digital transformation —  is “unclear about the whole-life costs and benefits” of the different
approaches to digital transformation at a local level.

Among the examples it offers are the choices that NHS organisations have when it comes to modernising electronic patient record systems to store and share information (systems central to digitalisation ambitions intended to make data sharable and updateable in real time).

As the NAO notes: “NHSX expects trusts to take one of three approaches
to developing a system consistent with national ambitions: to buy an enterprise-wide system; to integrate multiple record systems; or to build their own system…  But NHSX does not have comparable whole-life-cost information for the three approaches, nor does it know the hidden costs which trusts incur as a result of the inefficiencies of legacy IT systems.”

Read the full NAO report [pdf] here. 

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.