Home Threats National Data Guardian’s cybersecurity bar “quite high” for NHS Trusts

National Data Guardian’s cybersecurity bar “quite high” for NHS Trusts


During a hearing on the WannaCry attack that hit the healthcare industry in 2017, the National Health Service (NHS) Deputy Chief Executive Rob Shaw accepted that all the National Health Services trusts evaluated for cybersecurity regulations have failed to meet the set standards. He further elaborated that all the assessed 200 institutions found it difficult to meet the National Data Guardian Dame Fiona Caldicott’s requirements.

“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry,” Rob said. Presenting the findings to the Commons’ public accounts committee, the NHS digital deputy chief executive clarified that although some of the trusts have a substantial work to do, it is not like they haven’t worked at all on the issue. Testing of dataflow against standard practice principles, emphasizing on confidentiality and information security alertness amongst all NHS staff, and following the best principles when designing health information systems are some of the recommendations in the in Dame Fiona Caldicott’s report.

The WannaCry Ransomware hit Microsoft Windows OS during May 2017. It affected the operations of nearly 200,000 systems across 150 countries, including automobile companies like Nissan and Renault which had to halt productions at several sites to stop the ransomware from spreading. The National Health Services hospitals of England and Scotland were amongst the worst affected; the impact included disturbing critical devices like MRI scanners, blood-storage refrigerator, even theatre equipment. According to a report released by National Audit Office, the complete extent of the damaged caused by the ransomware might never be known.