Every NHS trust that has been tested against cyber security standards since 2017’s WannaCry attack has failed, NHS Digital has revealed, as the CQC revealed plans for surprise inspections on hospitals.
Speaking at the Public Accounts Committee in Westminster on 5 February, Rob Shaw, deputy CEO of NHS Digital, said that 200 NHS trusts had fallen short of the Cyber Essentials Plus certification when subjected to on-site assessments by the Care Quality Commission (CQC).
Shaw appeared alongside NHS England chief executive Simon Stevens, Department of Health Permanent Secretary Sir Chris Wormold and NHS CIO Will Smart, to answer MP’s questions on the impact of last year’s ransomware incident, and what steps have been taken since.
The influential Public Accounts Committee heard that a number of trust who failed the inspection had done so because they had not carried out adequate patching on IT systems – a core vulnerability targeted by the WannaCry ransomware.
Shaw said that NHS Digital was now working with the most vulnerable trusts on mitigation plans. He also stressed that measures were being put into place to address weak links in the chain.
“It isn’t the case that all of the trusts have done nothing around cyber security. The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against is quite a high bar,” said Shaw.
“Some of the trusts have to do quite a considerable amount of work, but a number of them are already on the journey that will take them towards meeting that requirement.
“One of the things that we may want to consider now that we’ve got the additional funding available is whether or not we should go back and re-inspect some of those where there is the highest risk, in order to provide us with the reassurance that they are going in the right direction.”
However, Shaw confirmed that all NHS foundation trusts in England had signed up to CareCERT, which offers guidance and support to health and social care organisations in responding effectively to cyber security threats.
It was also confirmed at the PAC hearing that NHS Digital and CQC will carry out surprise “deep-dive” inspections on NHS trusts as part of efforts to bring cyber security up to scratch.
Between now and March 2018, a small number of unannounced “deep dives” will be carried out on NHS hospitals as part of scheduled, “well-led” inspections. A number of pre-announced inspections will also be carried out to allow a comparison of the two approaches, according to CQC.
CQC inspectors will be joined by personnel from NHS Digital for relevant parts of the assessments, who will be able to conduct additional interviews with staff members who have direct responsibility for cyber security.
At this stage, it is believed that the findings will not impact on trusts’ ratings and will be reported separately by NHS Digital. Following the testing period, a decision will be taken on whether and how to continue with this approach.
Ted Baker, chief inspector of hospitals at the Care Quality Commission, said in a statement that the deep-dives “are intended to establish a baseline of what ‘good’ looks like”.
In a statement to Digital Health News, Dan Taylor, director of digital security at NHS Digital, said the aim of the inspections would be to identify the key areas of improvement for trusts to take action on.
“We’re keen for Boards and leadership teams across the NHS to enhance their data security. As part of that aim we have been working with CQC to develop its key lines of enquiry on Data Security as part of their well-led inspections,” said Taylor.
“Our role is not that of a regulator, rather providing the CQC with specialist support to undertake their inspections.”
With regards to the 200 assessments already undertaken, Taylor said he was unable to comment on individual cases for reasons of confidentiality, and to avoid “naming and shaming” those trusts that had not passed.
“The tests are rigorous and consider all levels of data security,” he added. “The aim of the assessments is to identify potential security risks and support participating organisations to take remedial action.”
A report published last week by NHS England CIO Will Smart identified £25 million of funding to help trusts bolster their cyber security in 2017/18.
Smart’s review outlined 22 recommendations for the future, including the appointment of a chief information and security officer (CISO) and a dedicated cyber security lead across the entire English NHS.
The CIO told PAC that a timescale for the implementation of the recommendations would be presented within the next six months, with the aim of having introduced all 22 by June 2021.
“That would be the long stop in terms of when the plan as a whole would finish”, he said.
“I expect over the next few weeks and months, we will be able to come up with a much clearer timetable.”