More than 100 NHS boards have completed their GCHQ accredited cyber security training two years on from the WannaCry attack, Matt Hancock has confirmed.
Speaking at The Kings Fund Digital Health and Care Congress yesterday, the secretary of state for health and social care announced a new data security and protection toolkit that will be adopted across the NHS.
It was not clear if the 100 NHS boards that had completed their training were of the 236 hospital trusts in England or of primary care and affiliate NHS organisations.
But according to Digital Health’s cyber security columnist Davey Winder the numbers aren’t very encouraging.
“‘More than 100’ isn’t very helpful as it could mean 101 for all we know. Nor is it very encouraging as I would have hoped, two years on, that all trusts would have been keen to be seen making progress here,” he said.
“Of course, I have to say I’m not convinced that certification is the answer to the security issues within the NHS that WannaCry exposed so clearly, but at least it’s a start.
“Unfortunately, until NHS Digital are a more forthcoming with where we are regarding the implementation of these recommendations [after WannaCry], guesswork is all we have.”
In his keynote speech Hancock also said the government was in the middle of investing £150 million to put in place new cyber protections, including the new data security and protection toolkit that “everyone in the NHS who deals with patient data must use”.
The toolkit will be used to help health and social care providers “improve cyber security and carry self-assessments”, he added.
Part of the three-year £150 million package includes investment in NHS Digital’s Data Security Centre to prevent, detect and respond to cyber attacks in real time.
The centre has prevented over 21 million potential cyber attacks over the past three months, as well as over 640 million phishing attempts, according to Department of Health and Social Care figures.
This includes five nation-wide attacks which were blocked shortly after being detected, protecting vital systems such as MRI scanners, refrigeration units storing organs and drugs, as well as basic IT.
On 12 May, 2017 the WannaCry ransomware outbreak devastated hospital IT systems. Just after 1pm in the afternoon NHS Digital’s CareCERT unit sent an alert to the Department of Health and Social Care informing them that four NHS trusts had reported ransomware attacks affecting a number of hospitals.
By 4pm, the ransomware had spread to 16 trusts and it was at this point NHS England publicly declared a major cyber security incident.
It led to disruption of at least 80 out of 236 hospital trusts in England, as well as 603 primary care and affiliate NHS organisations.
A devastating report from the National Audit Office into the impact of WannaCry concluded that Britain’s health service was woefully unprepared for a cyber-attack of such scale, despite being warned of a threat as far back as 2014.
In response NHS England published its “lessons learned” report, calling for a chief information and security officer (CSIO) and dedicated cyber security lead to be appointed.
Later, in February 2018, NHS Digital deputy CEO Rob Shaw told a Public Accounts Committee (PAC) that 200 NHS trusts tested against cyber security standards since WannaCry had failed.
NHS Digital was unable to confirm how many of the 22 recommendations in the lessons learned report have been met.
The deadline for trusts to pass cyber security training is 2021. In January 2019, NHS Digital’s first CSIO, Robert Coles, resigned and has yet to be replaced.