back to article Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

Every single one of the 200 NHS trusts in the UK so far assessed for cyber security resilience has failed an on-site assessment, MPs on the Public Accounts Committee were told yesterday. There are a total of 236 trusts. There is no timeline on when the remaining 36 will be checked over. In a hearing about the WannaCry …

  1. Anonymous Coward

    The multi-million pound consultation..

    ...says they need a multi-million pound upgrade, but don't have the budget.

  2. Warm Braw

    There are a total of 236 trusts

    There's your problem...

    1. Anonymous Coward
      Anonymous Coward

      Re: There are a total of 236 trusts

      The NHS has 1.7m employees. Do you really think that an organisation of that size would be manageable without breaking it down into a large number of smaller operating units?

      1. Warm Braw

        Re: There are a total of 236 trusts

        The problem is not that there are lot of smaller operating units, but that they are essentially autonomous organisations over which "the NHS" (which is essentially just a brand and a funding stream) exercises little useful control.

        1. Prst. V.Jeltz Silver badge

          Re: There are a total of 236 trusts

          "exercises little useful control."

          True dat.

          NHS England have now developed the email system - that all the trusts can use

          If they could do something similar for (e.g) a "Patient Checkin / management / tracking " system they could all use that - instead of them all running off to loads of separate 3rd party companys getting bespoke stuff made that needs to be replaced before they've even got it working properly and paying through the nose for it . x 236 trusts

      2. Anonymous Coward
        Anonymous Coward

        Re: There are a total of 236 trusts

        You clearly know little about how to create operational efficiency and how common standards, processes and purchasing could save billions of quid and thousands of lives.

      3. Hans 1

        Re: There are a total of 236 trusts

        The NHS has 1.7m employees. Do you really think that an organisation of that size would be manageable without breaking it down into a large number of smaller operating units?

        WTF, they split it up because their mates on the boards of other companies don't want one big customer with negotiating power, 230+ is much better ... everybody wins except the tax payer, NHS employees and patients, but who cares about them.... there are many more big businesses that have that many staff. All this is just Thatcherite lies to milk the taxpayers, patients, employees to make the richer richer ...

        I know, you might think another commy guardian-reading comment@rd, but if I compare care in Germany, France, and the UK ... I would rather not be treated in the UK ... and I think the staff are equally qualified in all those countries, maybe even more in the NHS ... Thank Feynman the late Admiral's family is there to donate that life-saving piece of equipment, NHS is in a state where it relies on donations ... and the NHS probably has the most motivated staff of any healthcare system in the world ...

    2. Anonymous Coward
      Anonymous Coward

      Re: There are a total of 236 trusts

      Plus 200 or so CCGs, covering the approximately eight thousand independently-operated-but-nhs-contracted GP practices, plus your local authority's public health and social care provision and the innumerable charitable and private providers taking greater and greater shares of the funding.

      When a system is so comprehensively fragmented and every component in that system so comprehensively failed, it is wrong to blame the elements of the system. When 200 out of 200 trusts tested fail to meet a standard, you cannot blame the trusts. You must and should blame the Department of Health, and ultimately the minister.

  3. sanmigueelbeer Silver badge

    He added: "Some of them need to do a considerable amount of work, but a number of them are on a journey [to] meeting that requirement."

    Translation: NHS Trust don't have any idea what to do. NFI (No Friggin' Idea)

  4. Anonymous Coward
    Anonymous Coward

    Some of the issues are due to Java versions external companies insist on using, despite being vastly out of date and will not support or the service won't work if updated to the current version.

    Add on that upgrading Java involves the usual CAB rigmarole, and the fortnightly release of Java soon becomes an even bigger PITA.

  5. Anonymous Coward
    Anonymous Coward

    heres 2 right off the bat.

    Here's a tip , NW Eng trust that shall remain nameless - Dont make the Smoothwall content management filtering system OPTIONAL!

    I'm no network expert, but I'm sure there are ways of directing traffic through the smoothwall that dont rely on the user not unticking a box in their browser!

    Here's another - block executable downloads. I'm struggling to think of any reason any user would need to download a .exe / cmd / ps / vbs.

    'course you cant do (2) till you've done (1).

    1. Anonymous Coward
      Anonymous Coward

      Re: heres 2 right off the bat.

      I'm struggling to think of any reason any user would need to download a .exe

      Because IT departments are bound by the same network policies and need to. What we do instead is scan everything and restrict non-admins from running them.

      Lets be clear, Wannacry did not happen because some Doctor, Nurse, Physiotherapist or whatever decided to run COOLPICTURES.JPG.EXE whilst logged into their Windows XP system.

      It happened because undermanned IT departments in underfunded hospitals took too long to test patches and software updates. As others here have said, it wasn't because they were all running XP either. Infact, if the NHS had been all XP, it might have escaped relatively unharmed since many trusts have reported that their XP machines were not infected at all.

      Give us the money and personnell to do it and it will be done.

      1. Prst. V.Jeltz Silver badge

        Re: heres 2 right off the bat.

        Wannacry did have some unique exploring and tunnelling and P4wnage features ,which made it more contagious, but i think patient zero was indeed "Physiotherapist or whatever decided to run COOLPICTURES.JPG.EXE "

      2. fnusnu

        Re: heres 2 right off the bat.

        Don't your policies say you will be patched within 30 days? It's a Cyber Essentials requirement.

  6. Hogwam

    Having been assessed as part of this programme (I work for an NHS Trust) there is no way anyone could ever pass.


    Because national NHS systems rely on things like older versions of Java and Flash Player.

    Don't have them installed, stuff doesn't work.

    Have latest versions installed, stuff doesn't work.

    1. John G Imrie

      The NHS should be such a large buyer of IT services that it can dictate any terms it wants to IT suppliers, the fact that it doesn't demand secure patched systems suggests that it is not using it's muscle appropriately.

      1. Zog_but_not_the_first

        @John G Imrie


        See also, drug procurement, infrastructure upgrade and maintenance, PFI etc.

        1. Anonymous Coward
          Anonymous Coward

          "The NHS should be such a large buyer of IT services that it can dictate any terms it wants to IT suppliers, "

          NHS: We demand that all MRI scanners work with Windows 10 for the next 20 years

          Supplier: Which version?

          NHS Windows 10!

          Supplier: Which Version?

          NHS: The new one!

          Supplier: OK for the next 20 years it will be compatible with the latest version of Windows 10 as of today.

        2. veti Silver badge

          @John G Imrie


          Easy to say, not so easy to do.

          There are a lot of requirements placed on NHS contractors. If you add yet another one, you run the real risk that there will be *nobody* who is fully qualified to provide some vital product or service. And so you'll always have to make compromises somewhere.

          So there's always going to be argument about which requirements are essential, and which are merely desirable. Argument means politics. Welcome to square one.

      2. Alister

        @John G Imrie


        But this is exactly the problem mentioned upthread, there is no centralised purchasing or logistics anymore, it was got rid of in favour of each individual Trust having responsibility for their own purchasing.

        If there was a centralised logistics and purchasing facility, then economies of scale alone would make a massive difference to the amount of money the NHS spends on IT, drugs, estates and everything else.

        However, government policy (and not just the present government, but those of all political leanings) seems to be deliberately aimed at fragmenting and removing this ability.

        1. Anonymous Coward
          Anonymous Coward

          Can you back that up?

          Or was it a case that a single supplier agreed on a price for a service for 10 years and then everyone had to pay that, even if they found it cheaper elsewhere.

          I can tell you know that IT office equipment never took into account depreciation.

        2. Anonymous Coward
          Anonymous Coward

          The problem with centralised logistics and purchasing is that big brown envelopes are easy to spot than than lots of little brown envelopes.

          If it was me doing any of this I would have a centralised IT department that managed the data and budget then individual IT departments with defined processes of what is and what is not to be done. I would then get to work identifying where programs and hardware needs upgrading while trying to isolate them where necessary. I would also look at what programs can be brought in house either by coding them from scratch or purchasing the code from a company. This does of course need funding which is where the problem ultimately lies because to fix the problems you need to upgrade and upgrades cost money. That's the way I see it should work though I'm sure some will agree and some will think I'm bonkers.

        3. Anonymous Coward
          Anonymous Coward

          Centralised purchasing merely ensures that a crappy and insecure system gets bought for all with a possible added bonus of no opt-out allowed.

      3. DaveTheForensicAnalyst

        I think a large part of that is the fact that "the NHS" doesn't really exist, individual trusts purchase for themselves, hence the disparate systems used across trusts. Due to that there is no NHS buying power. In fact, in one trust I have worked with, individual hospitals within the trust controlled their own IT budget.

        (IT consisted of one trained member of staff, and one trainee who worked part-time, for a city of approx 462,000 within its metropolitan area)

    2. Anonymous Coward
      Anonymous Coward

      Where ticking boxes is more important than working systems.

      Some of the assessment checks seem largely irrelevant, and most organisations would fail them.

      Additional registry keys needing (a matter of opinion rather than a proper risk analysis) to be set after some obscure Microsoft update, for example.

  7. Digitall

    Isn't it about time the UK Govt put this to bed!

    Oops there's a shotage of beds too...

  8. John Smith 19 Gold badge

    "the NHS could have fended off WannaCry " had taken simple steps to protect its computers"

    So b***er the "centralized" whatever.

    Most of it could be implemented by each trust if their PHB management (and that's where the ultimate responsibility lies) gave a f**k.

  9. Anonymous Coward
    Anonymous Coward

    The NHS has never prioritised IT security and now they're suffering.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like