Despite attempts for improved security provision, the UK's Department of Health has admitted that all 200 NHS trusts assessed for cybersecurity vulnerabilities have failed to meet the standard required.
Civil servants revealed the news in a parliamentary hearing earlier this week, which heard of the effects of the WannaCry ransomware attack on parts of the NHS last year.
The malware affected 300,000 computers in 150 countries in May last year, including 48 NHS trusts, also shutting down multiple hospital IT systems as well as companies and universities elsewhere.
At the time, NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign that was only thwarted when a security researcher discovered a 'kill switch' that stopped the attack in its tracks.
However, hospital trusts across England and Scotland admitted they'd been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff had also been sharing further details on Twitter, with one screenshot suggesting the ransomware was demanding $300 in Bitcoin to decrypt files, with the price doubling after three days.
Appearing before the Commons' Public Accounts Committee on Monday, NHS Digital deputy chief executive Rob Shaw said trusts were still failing to meet cyber security standards since the WannaCry debacle, admitting some have a "considerable amount" of work to do.
"The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott's report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry," he said.
Simon Stevens, the chief executive of NHS England, added: "A whole bunch of things need to change."
The total cost of the impact on the NHS is still unknown, as and may never be, attendees heard.
The UK's Foreign Office officially blamed North Korea for the WannaCry campaign in December, though the country's regime denies involvement.
Following WannaCry, officials set aside 20 million for the NHS to create a security centre designed to constantly probe the organisation's cyber defences using ethical hackers, as well as issuing best practice guidance around cybersecurity incidents.
The National Audit Office (NAO) slammed the NHS's security in October last year, saying "basic IT security" measures would have prevented WannaCry from causing the chaos it did.
"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the NAO, at the time.
-
IT leaders are being stung by "unexpected" AI costsNews The growing costs associated with AI are hitting organizations large and small
-
'Botsitting' is destroying productivity as workers spend nearly a full day each week making AI 'usable'News While workers are reporting productivity improvements, ‘botsitting’ means these are often negated
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
