Health chiefs refuse to foot £1bn bill to improve NHS cyber security

NHS Digital describes expert calculation as 'not value for money'

Health chiefs have questioned the expert view that more than £1billion needs to be set aside to deal with the cyber threat to the NHS.

IT and data security came under the spotlight after the WannaCry attack last May crippled NHS systems, leading to cancelled operations, postponed GP appointments, and ambulances having to be diverted.

Smaller attacks continue to be reported and experts have repeatedly warned that healthcare data is valuable to hackers and that they will continue to target NHS organisations as they lack the security needed.

NHS digital needs to back up this rejection with some hard analysis and needs to provide its own security improvement plan for scrutiny

A Government-commissioned review, published earlier this year, advised that, for the entire NHS to meet the key standard, known as Cyber Essentials Plus (CE+), £800m to £1billion would be needed.

But, according to a Health Service Journal Freedom of Information request, NHS Digital, the body responsible for NHS online operations, has indicated it will not foot the bill, claiming it would not constitute ‘value for money’.

The revelation comes just weeks before the Department of Health and Social Care is due to release a report examining what went wrong during the WannaCry scandal and detailing any lessons that can be learned.

A Department for Health and Social Care spokesperson said: “The health service has improved its cyber security since the attack, and we have supported this work by investing over £60m to address key cyber security weaknesses.

“We plan to spend a further £150m over the next two years.”

Commenting on the news, Stephen Gailey, a solutions architect at Exabeam questioned whether NHS Digital really believes it can operate a modern online organisation without adequate security. He told BBH: "NHS digital needs to back up this rejection with some hard analysis and needs to provide its own security improvement plan for scrutiny.

"Failure to adequately protect NHS patient data is likely to cost the NHS dearly in both fines and legal challenges and distract the organisation from its primary role.”

One of the key flaws the NHS faced was that so many of its devices were either running on legacy IT systems, such as Windows XP, or that modern operating systems were being run, but not being patched correctly.

Mat Clothier, founder and chief executive at Cloudhouse, believes overcoming legacy is key to security, and migrations away from it don’t have to incur costly outgoings.

Failure to adequately protect NHS patient data is likely to cost the NHS dearly in both fines and legal challenges and distract the organisation from its primary role

He said: “It’s understandable that NHS Digital is committed to getting the best deal possible when improving its IT, but when it comes to security, there can be no excuse for outdated solutions that are not fit for purpose in the modern IT landscape.

"Security best practice will always advise those in all sectors to move away from legacy, unpatched operating systems that are vulnerable to data theft or loss. Users of Windows XP, Server 2003 and, soon enough, Windows 7, all face this challenge.

“Thankfully, the days of having to rewrite legacy apps not built for modern platforms, which can be both time-consuming and costly, are over.

"Compatibility containers can now help both those in the public and private sectors to deploy a comprehensive approach to data protection and can deliver the migration of mission-critical, legacy apps to the safety of a support OS - without the expensive price-tag."

Companies