It has almost been a year since WannaCry (a piece of malicious software that encrypts files on a user’s computer, blocking them from view and threatening to delete them unless payment is made) hacked the NHS system, causing the cancellation of 20,000 operations and appointments. Yet, the Public Accounts Committee (PAC) are still warning the NHS that attacks in the future could be “more sophisticated and malicious”.
Redscan (a cybersecurity service) recently discovered that most NHS employees are ‘undertrained’ when it comes to cybersecurity, along with a lack of investment and a potential problem hiring trained professionals, this is leading to great concern as to how prepared the NHS is for another attack. According to Freedom of Information (FoI) there is 1 cybersecurity professional for every 2,500 staff, and around 24 out of 108 trusts have no cybersecurity qualifications. Although some staff are in the process of obtaining relevant security qualifications, the concern for the security of the NHS still grows, considering there has been little change since the cyber attack back in May, despite growing concerns about the threat to the UK. The Public Accounts Committee (PAC) chairman, Meg Hillier, has said, “It is alarming that nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed”.
Sources say that the lack of change since last May could be down to the lack of investment in the NHS. The FoI also found that in the last 12 months trusts have spent, on cybersecurity and GDPR-related training, an average of just £5,356. Many trusts solely relied on using the NHS Digital’s Information Governance (IG) training, which is free of charge. Due to this lack of investment, only 12% of trusts have met their target of having more than 95% of their staff passing IG every 12 months. The director of Redscan, Mark Nicholls has said, “These findings shine a light on the cybersecurity failings of the NHS, which is struggling to implement a cohesive security strategy under difficult circumstances”.
It is important whether you are a part of a large organisation such as the NHS or just a small business, that you and your staff are all educated/trained on the dangers of cyber attacks and what you all can do to avoid being the victim of one.