NHS trusts failing on security
Investigation finds out of date SSL, insecure apps and a ‘postcode lottery’ on security spend across the UK just days after internal email test crashes entire NHS system.
A national investigation into the security state of the NHS has found a series of failings just days after a misconfigured email test crashed servers across the county.
A security investigation by Sky News discovered misconfigured email servers, outdated software and old SSL security certificates, along with NHS trusts' security credentials such as emails and passwords, through simple public searches.
The investigation, carried out using Freedom of Information laws, also revealed a postcode lottery when it comes to cybersecurity, with a huge range of spend across the country. Although the average annual spend for an NHS trust was £23,040, seven NHS trusts spent nothing on cybersecurity in 2015, while six trusts spent at least £100,000.
The results are borne out by simple tests using High-Tech Bridge’s own free SSL testing service, which demonstrates a wide variation in SSL security within Greater London NHS Trusts alone, with Imperial College Healthcare NHS Trust getting an A+, while Lewisham and Greenwich NHS Trust gets a C. In short, Imperial is compliant with PCI DSS, while Lewisham is not only non-compliant with PCI DSS, but vulnerable to POODLE over SSL and Drown attacks.
Sky News received responses from 97 NHS trusts, 45 of which were unable to specify their cybersecurity budget at all. The investigation also found that NHS trusts are suffering an increasing volume of personal data breaches, from 3,133 in 2014 to 4,177 last year, and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 last year.
A Department of Health spokesman told Sky News: "We expect all parts of the NHS to take the threat of cybersecurity extremely seriously so that patient data is protected.
"We already have in place cybersecurity support services such as careCERT, and are continuing to take action with NHS Digital to enable Hospital Trusts to drive forward improvements in security where needed."
Meanwhile, a single test email accidentally sent to a list of than 1.2 million NHS employees caused the entire NHS email system to grind to a halt. Believed to have been sent by an IT contractor in Croydon to every employee in the organisation, one NHS employee Tweeted:
Recently Northern Lincolnshire and Goole NHS Foundation Trust was forced to cancel operations after an unknown virus infected their systems, which led to three days-worth of cancelled operations in the three hospitals operated by the Trust, as well as hospitals in a neighbouring NHS trust with which it shares some systems. Derriford Hospital in Plymouth was also targeted by ransomware recently and had to restore its systems from a back-up.
In a separate report on application security in 2016, High-Tech Bridge found that more than 90 per cent of in-house developed web applications designed to handle medical, financial or other sensitive data are vulnerable to a high-risk improper access control or other application logic flaws not related to the sanitization of user-supplied input (like in XSS or SQL injections for example). Although the same research found that increased budget was a key factor in ensuring better security, it also found that centralised cybersecurity management (unlike multinationals) was also key. Probably not unfair to speculate that both of those factors have impacted on NHS security on the past, and are likely to continue to do so...