NHS Digital to ignore IT security recommendations despite WannaCry
£1bn estimated cost not considered worth it, despite ongoing attacks targeting NHS data
NHS Digital is set to ignore the IT security recommendations of its own chief information officer, Will Smart, citing the estimated cost of between £800 million and £1 billion. It claims that the investment would not be "value for money".
The recommendations were the result of a review, published in February, that was commissioned by government in response to the WannaCry ransomware attack, which affected one-fifth of all NHS trusts in the UK. The NHS was especially hard hit, not least due to a lack of up-to-date patching on Windows 7 workstations across the monolithic organisation, one of the biggest employers in the world.
The recommendations in Smart's review had been endorsed by the National Cyber Security Centre (NCSC).
However, documents acquired under Freedom of Information by the Health Service Journal (HSJ), indicate that NHS Digital has opposed adoption of the recommendations on the grounds that they would not "be value for money".
NHS Digital's response comes despite the organisation coming under sustained and continual cyber attacks, including one called Orangeworm that specifically targets sensitive healthcare data. HSJ adds that malicious phishing websites mimicking NHS trusts have also been found, while one NHS organisation was found to have exposed a sensitive database online.
A scan by NHS Digital, it adds, found 227 medical devices connected to the internet with a known vulnerability. And four out of five NHS trusts failed to even respond to a ‘high severity' cyber alert issued in April.
The review of NHS IT security by CIO Will Smart came four months after a damning report into the state of NHS IT security produced by the National Audit Office, which indicated that the NHS and Department of Health didn't know how to respond to the outbreak.
The WannaCry ransomware has been pinned on North Korean hackers, although the North Korean government has denied that it was behind the outbreak. The outbreak was suddenly halted by security researcher, Marcus Hutchins - who was later arrested by US authorities over claims that he had helped code a banking Trojan earlier this decade when he was a teenager.