Exclusive: Tighter cyber security deemed ‘not value for money’

A government commissioned review of the NHS response to the WannaCry global ransomware attack, published in February, recommended that all NHS organisations meet a cyber security standard, known as a cyber essentials plus, by June 2021.

NHS chief information officer Will Smart wrote the review and the National Cyber Security Centre endorsed the specific recommendation.

The review states: “This [the standard] should be the minimum bar that all health and social care organisations must meet.”

However, documents released to HSJ under Freedom of Information Act show NHS Digital, which runs the NHS’s national cyber services, has opposed adopting the recommendation.

Papers presented to a cyber security committee meeting in June estimate meeting the standard would cost the NHS between £800m and £1bn.

They state: “While NHSD believes using the CE+ [Cyber Essentials Plus] as a benchmark is useful, getting all providers to accreditation would not be value for money.”

The WannaCry attack on 12 May last year disrupted more than 80 trusts and hundreds of GP practices, leading to ambulance diversions and the cancellation of thousands of operations and appointments.

The NHS Digital papers also show that cyber attacks on the service have continued and concerns remain about the readiness of NHS organisations to respond to another major attack.

In the month of April this year alone, NHS Digital dealt with the following:

• At least one NHS organisation that was infected as part of a global hacking operation known as Orangeworm. The attack targeted healthcare organisations specifically for the purpose of extracting sensitive data.
• Several fake malicious websites were uncovered masquerading as belonging to NHS trusts, one of which was then used to launch targeted phishing attacks. 
• An unnamed NHS organisation was found to have an exposed database containing personal, medical and legally sensitive information that was “easily accessible” online.
• A scan by NHS Digital found 227 connected medical devices across the NHS had a well known vulnerability, exposing them to cyber attack.

Last month, HSJ revealed that four out of five trusts failed to respond to a “high severity” cyber alert in April, the first such alert issued since WannaCry.

A new national reporting scheme shows between 25 May and the end of June this year, NHS organisations reported 122 “data security incidents” where it was “likely that citizens’ rights have been affected”.

In April, The House of Commons public accounts committee criticised Department of Health and Social Care for not moving fast enough after WannaCry. They demanded a costed plan for cyber security by the end of June this year. 

The DHSC is expected to release its response to the WannaCry review later this month.  HSJ understands it will not include any additional funding beyond what was committed earlier this year.

When approached by HSJ, DHSC did not provide a substantial response to questions, including whether the NHS would be expected to meet the “cyber essentials” standard recommended in the review.

A spokesman said: “The health service has improved its cyber security since the attack, and we have supported this work by investing over £60 million to address key cyber security weaknesses. We plan to spend a further £150 million over the next two years.” 

Money that had been diverted to improve NHS cyber security thus far has gone to major trauma centres, ambulance centres, and boosting NHS Digital’s ability to detect and prevent attacks centrally. 

NHS Digital and NHS England referred questions for this story to DHSC.

The National Cyber Security Centre did not respond to requests for comment.