Wannacry no more? - cyber security in the NHS

The Wannacry cyber-attack created panic within the NHS and the disruption that followed impacted patient appointments, access to health records and the ability to access and use a range of systems.

The longstanding Information Governance Toolkit has provided a framework for NHS organisations to follow when trying to protect patient data. However, the growing sophistication and potency of the recent cyber-attacks in the UK and elsewhere in the world have only helped to underline the vulnerability of the NHS. In some ways, it can be seen as a soft target, as:

  • budget restraints and short term financial decisions have affected the ability of organisations to invest in IT systems and improve their infrastructure; 
  • public sector pay controls and the competition from the corporate sector have hindered staff recruitment and the ability for NHS organisations to retain some of their best staff; and
  • the complex way in which the IT infrastructure has developed in the NHS, involves connecting systems, a plethora of customised applications and a range of unsupported software used in areas such as radiology.

While the recent attack affected only some NHS organisations, it’s a very real warning of what may be to come. The whole sector must now put controls in place to protect themselves from future attacks.

During 2016/17 we undertook internal audit reviews across 44 of our NHS internal audit clients following a Cyber Essentials methodology, and supporting the self-review of each organisation with focused testing. In the report, we highlight a number of key findings, which focus on the areas of greatest vulnerability where action is most commonly and urgently required.

Whilst the security measures vary between organisations, the main weakness we have identified can be spilt into three core themes. Download the report to find out more.