Cybersecurity at NHS failed, admits officials.
Every NHS trust assessed for cybersecurity vulnerabilities has failed to meet the standard required, civil servants have said for the first time.
It was the first time that the NHS came out with the statement that cybersecurity has failed to meet the standard. This was a part of the parliamentary discussion after the disruption from WannaCry, which dislodged many of the NHS activities last year. The official of the Department of Health revealed how nearly 200 trusts have failed due to vulnerabilities in cybersecurity.
The WannaCry came into force on May 12th was said to have infected many health trusts, and some 236 NHS trusts in England were on the victim list. Nearly 600 computers in GP surgeries were infected, according to the department release in October.
The National Cyber Security Centre [NCSC] has said it was “highly likely” the attack was carried out by a North Korea cyber organization known as the Lazarus Group. Trusts were still failing to meet cybersecurity standards, admitting some have a “considerable amount” of work to do,” said Rob Shaw, the NHS Digital deputy chief executive.
Dame Fiona Caldicott Appearing before the Commons’ public accounts committee, said: “the department had completed 200 on-site assessments, but none had matched the “high bar” set out by the national data guardian. “The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry.”
“The DoH was unable to give a cost for the impact of the outbreak,” said the NAO. It further added that “the full extent of the damage may never be known.”
WannaCry is a ransomware worm malware known for traveling from machine to machine directly, infecting new computers across corporate networks. It works silently in the background to infiltrate itself within the operating system, and when the computer is restarted it starts the encrypting process. This makes it impossible to decrypt with the key. The victim has to shed some money as ransomware to get his system back and count his luck if he at all gets it.
Though the NCSC did not release its findings, but based on elements in the code they were similar to known North Korean malware.
“A whole bunch of things need to change,” said Simon Stevens, the chief executive of NHS England, told the meeting