All 200 NHS trusts assessed for cyber security vulnerabilities have failed to meet the standard required, MPs have heard.
In a hearing on the WannaCry attack which crippled parts of the health service last year, NHS Digital deputy chief executive Rob Shaw said the results of the assessments do not mean the trusts had failed to take any action to boost cyber security.
He said the standards set out by National Data Guardian Dame Fiona Caldicott represent a “high bar” and that it is a big effort to meet it given the complexity of the NHS.
The WannaCry ransomware attack crippled parts of the NHS last May (Yui Mok/PA)
The WannaCry attack that began on May 12 is believed to have infected machines at 81 health trusts across England – a third of the 236 total, plus computers at almost 600 GP surgeries, according to a National Audit Office (NAO) report released in October.
The National Cyber Security Centre has assessed it was “highly likely” the attack was carried out by the shadowy North Korea cyber organisation known as the Lazarus Group.
Mr Shaw said trusts were still failing to meet cyber security standards, admitting some have a “considerable amount” of work to do, although others are “on the journey” to meet requirements.
He told the Commons Public Accounts Committee: “We have now completed 200 on-site assessments. We’d done I think it was 88 before WannaCry.
“All trusts have still failed and there are reasons for that, so this isn’t a case of all the trusts have done nothing around cyber security.
“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar.
“So some of them have failed purely on patching, which is what the vulnerability was around WannaCry.
He went on: “I always take it better to have information to know where your vulnerabilities are so that you can do something about it rather than hope that you will be okay when you do get an attack.
“So these vulnerability reports go back to the trusts and their trust boards to be able to work out how they can then do mitigation.
“Some need to do quite a considerable amount of work but a number of them are already on the journey that will take them towards meeting that requirement.
“One of the things we may want to consider and it’s something now that we’ve got the additional funding available is whether we should go back and reinspect some of those where there’s the highest risk in order to provide ourselves with the assurance that we’re going in the right direction.”
A Department of Health and Social Care spokeswoman said: “Patient safety is our priority, and our £4.2 billion investment in technology will help eliminate avoidable harm.
“It’s encouraging that there were no reports of patient harm or of patient data being compromised in the Wannacry attack.
“We are now re-doubling our focus on cybersecurity with an extra £46 million to improve resilience in major trauma centres and support at risk organisations, with a further £150 million committed by 2020.”