Quarter of NHS accounts vulnerable from 'very weak' passwords

In a recent industry briefing, obtained by HSJ, NHS Digital’s security operations lead Chris Flynn told IT suppliers that while many NHS organisations had good cybersecurity policies, they were “not effectively implemented”.

The briefing said its conclusions, shared with the industry last month, were based on the NHS Digital CareCERT team’s assessment of 113 NHS organisations. However, NHS Digital has subsequently told HSJ it was based on only 64 of these assessments.

The organisations assessed included NHS trusts, one arm’s length body, 11 GP practices, four clinical commissioning groups and three commissioning support units. CSUs are often responsible for running the IT infrastructure for many other organisations.

The briefing said “common” security concerns included:

• On average, NHS organisations’ oldest missing critical IT security update should have been applied four years ago. Lax application of security updates was one of the biggest gaps exploited by the WannaCry ransomware virus in May.
• “Practically all” organisations gave any staff with a log in access to a wide range of sensitive data, including patient records, back up files and passwords.
• A quarter of active user accounts in NHS organisations had “very weak” passwords as did one in 10 administrator accounts.
• Seventeen per cent of the “active” IT user accounts at the organisations had not been used in a year. These accounts were likely associated with staff that no longer worked at the organisation.
• A lack of “standard IT controls”.

It is understood that the briefing document has since been altered by NHS Digital with the above findings removed, after inquiries from HSJ.

The CareCERT assessments were voluntary and aimed to help NHS organisations take simple steps to improve their cybersecurity. They are not connected to any regulatory regime.

In a statement to HSJ this week, Mr Flynn said the figures shared with the IT sector related to a “small proportion of NHS organisations” assessed in 2016-17.

“It’s important to have a clear, realistic understanding of cybersecurity levels across the sector, which we recognise will differ given the amount of organisations involved,” he said.

All the assessments took place before the WannaCry attack, which infected at least 47 trusts and led to the cancellation of more than 15,000 appointments and operations. The advice to the industry was designed to help it work with national bodies to “improve resilience of passwords, permissions and patching”, Mr Flynn said.

He added: “We know many organisations have made improvements in all of these areas since this time. We continue to work closely with national and local partners from across the system to help improve data security.”

However, the findings echo concerns raised about the low priority given to cybersecurity in the NHS, including from Dame Fiona Caldicott and former NHS Digital chair Kingsley Manning.

Since WannaCry, the government has taken steps to impose more central control and oversight of NHS data security, in the face of the growing cyber threat.

In its response to the Caldicott report last month, the government said NHS leaders would need to demonstrate how they were protecting their organisation’s data and act on NHS Digital’s critical security alerts within 48 hours.

After earlier hints of a new deal with Microsoft for the NHS, NHS Digital also confirmed this week that a “custom support agreement” had been signed with the technology giant to run a cyber threats detection service for the NHS.

The agreement, which runs for less than a year, will also include security updates for old, unsupported Windows systems, such as XP, a vulnerability that was exploited in at least one trust in the ransomware attack.

NHS Digital also plans to go to market for a new security operations centre later this year.