NHS Ignore IT Security Recommendations Despite WannaCry Attack

The NHS’s IT governing body is refusing to invest in cybersecurity protection as it does not represent value for money. According to the Health Service Journal, NHS Digital is set to ignore the recommendations laid out in a government-sanctioned report authored by its own CIO due to the costs being too high.

Commenting on the news are the following security professionals:

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik

Javvad Malik

“Many of the reports issued, or guidance offered by independent professionals to any organisation are generally broad and don’t take into consideration the individual business, technological, and economic factors that affect individual organisations.

It would be wrong to say that the NHS has outright refused to implement the suggestions of the ICO in terms of improving security. Rather, that to implement each control as specified would be cost-prohibitive, and that the NHS will implement security controls in a manner that is in line with its budget and priorities.

It is also worthwhile bearing in mind that organisations that invest more in security don’t necessarily achieve better outcomes, as presented in the recent AT&T Business Cybersecurity Insight report vol.8″

Sam Curry, Chief Security Officer at Cybereason:

“There are only three possibilities. First, it’s possible that the advice over compensates. For all security measures such as this one, initial implementations are introduced and along the way it can slow business and efficiency. In medicine this can be extreme, as interruptions can result in literal life lost. This is easily addressed with a panel to look at choices made.

Second, it’s possible that they have made the right call, accepting some measures and rejecting others.

Finally, they may have the wrong incentives. Put plainly, they may not care enough. That’s not an indictment; it may just be a fact. Are they incented to really care about pursuing privacy and security beyond a binary yes/no answer? How much do they care? Is it a first principle? The solution emerges then: make a formal, reasoned statement about the degree of care and the importance of privacy and security. If nothing else, GDPR paints a clear set of signposts at least until Brexit. Then convene an internal panel of players on IT risk and an external advisory group of cyber experts to guide next steps and make this an ongoing process of risk and value trade offs.”