Jeremy Hunt, the Health Secretary, has been told to take “urgent” action to prevent another devastating cyber attack on the NHS after a leaked internal report revealed a string of digital security failings in the health service.
The report, by NHS Digital’s head of security operations, Chris Flynn, said there was a “false sense of security” among staff over cyber threats and highlighted a range of security failings, including weak passwords and poorly protected patient data.
Mr Flynn said many NHS trusts, GP practices and clinical commissioning groups had good security policies but that they were not being properly implemented.
The finding raises fresh fears of hackers crippling the NHS after a cyber-attack using the “WannaCry” ransomware hit 47 health trusts in May, leading to more than 15,000 appointments being cancelled and forcing many GP surgeries to close their doors.
The Independent understands that, in the wake of Mr Flynn’s report, Labour has asked Mr Hunt to “immediately assess” the cyber security of all NHS organisations, act to ensure passwords are strengthened and data protections tightened, and launch a full, independent inquiry into the WannaCry attack.
The report, leaked to the Health Service Journal, said many of the NHS organisations studied had not installed vital security updates. The average point at which the oldest missing update should have been applied was four years ago, raising concerns that individual hospitals and practices are failing to put in place key protections against a cyber attack.
The finding is particularly worrying because a failure to apply security updates was what enabled hackers to target NHS computers during the WannaCry attack.
Mr Flynn also found that “practically all” NHS organisations currently give any member of staff with a computer log in access to confidential data. Patient records, back up files and even passwords are all accessible even to very junior or temporary staff members.
In addition, a quarter of staff had passwords classed as “very weak”, as did 10 per cent of the administrator log-ins that generally give users additional powers over software and IT systems.
The study took place before the WannaCry attack but highlights how commonplace security flaws are within the NHS.
Labour said Mr Hunt must “wake up” to the threat of further cyber attacks on the NHS.
Justin Madders MP, the Shadow Health Minister, told The Independent: “This damning briefing should be a wake-up call to the Health Secretary that cyber security remains a matter of immediate urgency and must be at the heart of Government planning.
“It is frankly shocking that after the worst cyber security attack in the NHS’s history our health service still remains highly vulnerable to future threats. This is yet another example of how insufficient funding is placing patient safety at risk.
“The Government must immediately act in the interests of patient safety to ensure a similar attack on the NHS never happens again.”
After the attack in May, the Government said NHS organisations would need to be able to prove that they had taken steps to protect secure data.
The NHS has also agreed a deal with Microsoft for custom-built software to detect cyber threats.
The Department for Health referred enquiries about cyber-security to NHS Digital, which has no power over policy other than to advise NHS organisations on their IT systems.
Mr Flynn said: “We want to work with organisations, who we recognise have local responsibility for their own data security, to help them build on the good work they already do.
“These figures represent a small proportion of NHS organisations who were voluntarily assessed in 2016/17, to help industry understand how they can work alongside local and national bodies to improve resilience of passwords, permissions and patching in particular. We know many organisations have made improvements in all of these areas since this time.
“We continue to work closely with national and local partners from across the system to help improve data security.”