NHS cybersecurity flaws revealed by news investigation

An investigation by Sky News has revealed some worrying stats concerning how the NHS is protecting its data online.

According to the news channel, seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015. Further insight obtained from the investigation includes the fact that the average annual spend for an NHS trust was £23,040, although six trusts spent at least £100,000. In all, 45 trusts were unable to specify their cybersecurity budget at all.

The information was obtained by Sky News using a Freedom of Information request to which 97 trusts responded.

Further investigation found that trusts are increasingly suffering from personal data breaches – the number of breaches rose from 3,133 in 2014 to 4,177 last year – and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 last year.


Serious flaws

Security firm Hacker House, which was invited to work on the investigation with Sky News, also revealed some serious flaws in NHS Trust cybersecurity. These included misconfigured email servers and outdated software and security certificates.

Commenting to Sky News, Jennifer Arcuri, co-founder of Hacker House, said: “I would have to say that the security across the board was weak for many factors. Out of date SSLs, out of date software; it was very clear that you could bypass any number of these trusts just by doing the right recon online.

“So, if I was an adversary looking to get into any of these trusts or take advantage or change, manipulate or send communications on behalf of a doctor, I could, just because the information was already there.”


Bad week

The investigation caps an already troubled few weeks for the NHS when it comes to its digital performance. Two NHS trusts in Lincolnshire were recently forced to cancel operations after a virus infected their computer systems and NHS email was brought to a standstill after a member of staff sent a message to every listed NHS address.

NHS Digital said this was the result of a technical bug in the supplier’s system and was not the fault of an individual member of NHS staff.

Any response from the NHS to the Sky News investigation will be reported here.

Related reading