Half of NHS trusts only scan applications for vulnerabilities once a year - if that

Just 12 per cent of the NHS trusts surveyed scan web application perimeters daily

NHS trusts are failing on IT security, with 45 per cent scanning their applications for vulnerabilities just once a year, and only eight per cent making a systematic effort and scanning every day.

That is the claim of security software company Veracode in a report based on Freedom of Information requests submitted to 36 NHS trusts across the UK.

The new findings were gleaned from a series of Freedom of Information (FoI) requests submitted to 36 NHS trusts, with 27 responding. The responses also indicated that half of NHS trusts only scan perimeter web apps once-a-year as well, leaving patient data at risk of cyber attacks through insecure legacy websites and third-party plug-ins.

Just 12 per cent of the NHS trusts surveyed scan web application perimeters daily.

The lack of systematic security practices possibly explains why so many NHS trusts have fallen victim to malware outbreaks, including ransomware.

Earlier this year, Freedom of Information disclosures revealed that just under one-third of all NHS trusts have contracted ransomware to some extent. Last year, Northern Lincolnshire and Goole NHS Foundation Trust was forced to cancel operations for several days while it dealt with an outbreak of the Globe2 ransomware.

The anecdotal evidence from various NHS trusts conforms with the broader findings from the Veracode State of Software Security report. It suggested that the healthcare industry - despite the sensitive data it is responsible for looking after - has the lowest vulnerability fix-rate globally.

Healthcare exhibited the second-lowest Open Web Application Security Project (OWASP) pass rate, claimed Veracode, and the highest prevalence of cryptographic and credentials management issues.

It also found a high prevalence of serious vulnerabilities based purely on first-time application scans, including a 45 per cent rate of cross-site scripting vulnerabilities, 28 per cent vulnerable to SQL injection flaws, and almost three-quarters exhibiting cryptographic credential flaws.

"In light of recent ransomware and other cyber attacks on healthcare organisations, the industry's low scores on these application security benchmarks is troubling," said Paul Farrington, manager of EMEA solution architects at Veracode.

He continued: "Our new research certainly raises fresh concerns regarding the safety of patient information here in the UK, as well as across the globe. There appears to be a lack of emphasis on application and web app scanning within the NHS, which could put trusts at an increased risk of losing patient data to hackers."