NHS fails cyber-security health check


Researchers from cyber security consultancy Hacker House, as part of a Sky News investigation, have found a number of NHS trusts fall short when it comes to online data security.

Sky News accuses seven NHS trusts of a lack of investment, along with out of date systems, that have resulted in weakened security. The seven, it charges, spent a big fat zero on cybersecurity last year.

This would be worrying enough even if basic security probes showed systems that were up to scratch. However, Hacker House researchers uncovered a bunch of problems that show this to be far from the case.

According to the Sky News report, they found “misconfigured email servers, outdated software and security certificates, along with NHS trusts’ emails and passwords, through public searches.”

Hacker House CEO, Jennifer Arcuri, said that “security across the board was weak ” and claimed “it was very clear that you could bypass any number of these trusts just by doing the right recon online.”

Sky News uncovered, via Freedom of Information requests, that on average an NHS trust spends just £23,040 per year on cybersecurity. A shockingly low figure, if this is actually the case. Six trusts, however, had cybersecurity budgets in excess of £100,000.

“it’s time for the health sector to wake up and recognise that its goldmine of data will soon come under constant attack”

Given that data breaches at NHS trusts have risen from 3,133 in 2014 to 4,177 in 2015, these low spends and weak security are even more worrying. Especially when you consider ‘cyber’ incidents accounted for 60 reported breaches last year compared to just 8 in 2014.

High-Tech Bridge ran a follow up SSL compliance check in order to verify the results and see if they still remain accurate. Using the free SSL Server Security test service powered by ImmuniWeb, High Tech Bridge found there was a wide variation when it comes to SSL security within NHS trusts in the Greater London area alone.

The tests showed that Imperial College Healthcare NHS trust achieved an A+ PCI-DSS compliant rating (which is good) while Lewisham and Greenwich NHS trust only managed a C (which clearly isn’t). In fact, High Tech Bridge point out that not only is the Lewisham rating non-compliant with PCI-DSS, but also vulnerable to POODLE over SSL and Drown attacks.

Jon Fielding, managing director at Apricorn EMEA meanwhile says it is “alarming that seven trusts can go a whole year without investing anything in cybersecurity defence” after the government specifically cited the NHS as being a target for cyber-attack recently.

Tim Jarrett, a senior director at Veracode, reckons that “it’s time for the health sector to wake up and recognise that its goldmine of data will soon come under constant attack on a similar scale to what we have already seen in the financial services sector.”

“As the NHS begins to implement its paperless healthcare strategy, it must also increase cyber security procedures to protect digital documents and data” Jarrett insists, adding “this means making implementation of encryption technology alongside rigorous testing of all applications for vulnerabilities a top priority to keep hackers and cyber criminals locked out.”

Here at IT Security Thing we cannot say that this story has taken us by surprise. Go read some of my pieces on the subject over at Digital Health Intelligence and you will find I have been warning about the dangers of an insecure cyber-NHS for some time now.