28% of acute NHS trusts have not completed cyber penetrative tests

Research by Digital Health Intelligence reveals more action required to prepare for next cyber attack

Twenty eight per cent of NHS acute trusts and 16% of mental health trusts have not undertaken penetrative testing for cyber security in the last 12 months, according to new research from Digital Health Intelligence, released ahead of the Public Cyber Security Conference.

Delegates at the event will hear from speakers on the frontline who will share their experiences of responding to WannaCry and the lessons learned.

The conference is the first to exclusively focus on the challenges of securing frontline citizen-facing services, including the NHS, social care, police, education and central government, from a growing range of complex cyber security threats.

The programme includes sessions that address the fearsome looming challenges of GDPR in the public sector, building a robust information security enterprise architecture, aligning information governance regimes across public sector bodies, and equipping staff with the cyber skills needed to secure vital citizen services.

WannaCry was a wake-up call that the public sector needs to do much more to protect against future attacks. The ransomware incident significantly affected services across 47 NHS trusts, with thousands of patients having their appointments cancelled and hundreds of operations unable to take place.

Freedom of Information requests from Digital Health, the organiser of the conference, found that immediately ahead of WannaCry, 67% of acute trusts and 77% of mental health trusts hadn’t yet completed an on-site assessment as part of the NHS Digital CareCERT Assure service. And these numbers are rising.

Dan Taylor, head of cyber security at NHS Digital, recently tweeted that the CareCERT service had undertaken its 150th data security assessment in the NHS.

A quarter of all NHS acute trusts surveyed admitted they had suffered disruption of access to data and systems as a result of a cyber attack in the past 12 months. The research was carried out immediately before WannaCry, the NHS’ most-high-profile incident, had hit. Freedom of Information responses were provided by 107 acute trusts and 38 mental health trusts.

A new report by National Audit Office (NAO) suggested that severe disruption to NHS services caused by WannaCry was largely avoidable and would have been prevented had routine security management measures been applied across all NHS organisations.

The NAO report also found that official communications proved slow and says that basic lessons must be learned and applied by all health and care organisations. The NAO noted that NHS England has not carried out a rehearsal for a cyber security attack ahead of WannaCry.

The Public Cyber Security Conference is a new one-day event being held on Thursday, 7 December at the ICC in Birmingham. Speakers from the NHS include Richard Corbridge, chief digital and information officer at Leeds Teaching Hospitals NHS Trust, who will share his strategic insight into how WannaCry has created a platform for a new type of cyber-aware digital team; and Dan Taylor, head of cyber at NHS Digital, who will reflect on lessons learnt from WannaCry and update delegates on his organisation’s plans for applying them in future.

And Inderjit Singh, head of architecture and cyber security at NHS England, will discuss threat detection, mitigation and response as a board-level issue.

Companies