More than a quarter of acute NHS trusts fail to undertake cyber penetrative tests

Digital Health Intelligence reveals more action is needed to prepare for the next cyber attack, with only a few trusts carrying out penetration testing to check their resilience against security threats.

The research, released ahead of the Public Cyber Security (PCS) conference, found that 28% of acute NHS trusts and 16% of mental health trusts had not undertaken penetrative testing for cyber security in the last 12 months.

The research was carried out immediately before the outbreak of WannaCry in May. It is based on Freedom of Information request responses provided by 107 acute trusts and 38 mental health trusts.

A quarter of NHS acute trusts surveyed admitted they had suffered disruption to data and computer systems as a result of cyber attacks in the past 12 months. It additionally found that 67% of acute trusts and 77% of mental health trusts had not undertaken on-site cyber security assessments as part of the NHS Digital CareCERT Assure initiative.

WannaCry demonstrated that the public sector needs to do more to secure itself against attacks from cyberspace. The ransomware incident significantly affected services across 47 NHS trusts in England, locking staff out of IT systems and resulting in the cancellation of thousands of appointments.

A subsequent report by National Audit Office (NAO) suggested that the impact of WannaCry on the NHS was largely avoidable, and could have been prevented had routine security measures been applied across all organisations.

The report also criticised NHS England for its lack of adequate communication during the outbreak, and for failing to carry out rehearsals for cyber attacks.

Delegates at PCS on 7 December will hear about the experiences of those tasked with quelling the WannaCry threat, as well as the lessons learnt from the incident.

The conference will be the first to exclusively focus on the challenge of securing public-facing services – including healthcare, education, police and government – from increasingly complex cyber security threats.

It will also address the looming issue of GDPR in the public sector, and examine how organisations can build robust IT security and equip staff with the cyber- skills needed to secure vital public services.

Public Cyber Security is a one-day conference that will take place on Thursday 7 December 2017 at the ICC Birmingham. Speakers from the NHS include:

• Richard Corbridge, chief digital and information officer at Leeds Teaching Hospital will share his strategic insight into how WannaCry has created a platform for a new type of cyber-aware digital team;
• Dan Taylor, head of cyber at NHS Digital will reflect on lessons learnt from WannaCry, and update delegates on his organisation’s plans for applying them in future.
• Inderjit Singh, head of architecture and cyber security at NHS England, discusses threat detection, mitigation and response as a board level issue.