NHS accused of poor cybersecurity

18/11/2016

NHS accused of poor cyber security

It’s not been a great week for the NHS. Monday brought the news that their internal email system was brought down by an accidental email sent to all 850,000 users with an NHS.net email address.

One doctor told the BBC;

“The thing is hundreds of people have been replying to all. My NHS email is very important to me because it’s the only secure way I can send and receive anything safely about my patients. So, this is a major problem [and] potentially a risk to patients.”

With only a day for the embarrassment to subside, Sky News has brought the magnifying glass back to the health service with their investigation into NHS trusts and their levels of cybersecurity.

The published results showed that:

  • 7 NHS trusts, serving more than 2m people, spent nothing on cybersecurity in 2015
  • 45 NHS trusts were unable to specify their cybersecurity budget at all
  • 2 NHS trusts in Lincolnshire were forced to cancel operations after a virus infected their computer systems
  • Personal data breaches have risen from 3,133 in 2014 to 4,177 last year
  • Cyber incidents are accounting for more breaches, from 8 in 2014 to 60 last year

Gary Colman, an NHS employee attached to the West Midlands Ambulance Service who conducts penetration testing of trusts, told Sky News: “We find varying levels of IT security within the NHS, and local government as well. Some organisations are very very secure, others need a little more attention.”

A Department of Health spokesman said: “We expect all parts of the NHS to take the threat of cybersecurity extremely seriously so that patient data is protected.

What can be done?

Cyber security should be viewed within the broader subject of information security. Protecting important data starts at the front door, and quite often involves just as much investment in staff awareness as it does network security.

ISO 27001 is an internationally recognised best practice standard for information security, and has been implemented by more than 27,000 organisations. It incorporates all potential elements of information security, providing a framework to judge levels of risk throughout an organisation to help plan appropriate action.

Certification to the standard from a third-party Body has proven to also enhance competiveness, with our clients showing that it is increasingly becoming stipulated in both pubilc and private sector contracts.

Want to learn more about ISO 27001?

For more information, see our dedicated ISO 27001 page.