Seven NHS trusts, serving more than two million people, spent nothing on cybersecurity in 2015.
Sky News worked with security experts to find serious flaws in their cybersecurity, which could be easily exploited by relatively unskilled hackers.
Hacker House was able to find misconfigured email servers, outdated software and security certificates, along with NHS trusts' emails and passwords, through public searches.
Jennifer Arcuri, co-founder of Hacker House, told Sky News: "I would have to say that the security across the board was weak for many factors.
"Out of date SSLs, out of date software, it was very clear that you could bypass any number of these trusts just by doing the right recon online.
"So if I was an adversary looking to get into any of these trusts or take advantage or change, manipulate or send communications on behalf of a doctor, I could, just because the information was already there."
Gary Colman, an NHS employee attached to the West Midlands Ambulance Service who conducts penetration testing of trusts, told Sky News: "It's a game of cat and mouse to be honest.
"It's ever evolving. And trying to stay on top as both a hacker, an ethical hacker, but also from the point of view of NHS IT teams, is just a huge task.
"We find varying levels of IT security within the NHS, and local government as well. Some organisations are very very secure, others need a little more attention.
"At the end of the day if someone hacks into an NHS trust, somebody could die."
Last week, two NHS trusts in Lincolnshire were forced to cancel operations after a virus infected their computer systems.
Derriford Hospital in Plymouth was also targeted by hackers and had to restore its systems from a back-up.
Hospitals in the US have been shut down by hackers demanding ransoms.
The investigation, carried out using Freedom of Information laws, revealed a postcode lottery when it comes to cybersecurity.
Sky News received responses from 97 NHS trusts.
The average annual spend for an NHS trust was £23,040, but six trusts spent at least £100,000.
Forty-five NHS trusts were unable to specify their cybersecurity budget at all.
The investigation also revealed that trusts are suffering an increasing amount of personal data breaches, from 3,133 in 2014 to 4,177 last year, and that cyber incidents are accounting for more breaches, from eight in 2014 to 60 last year.
A Department of Health spokesman said: "We expect all parts of the NHS to take the threat of cybersecurity extremely seriously so that patient data is protected.
"We already have in place cybersecurity support services such as careCERT, and are continuing to take action with NHS Digital to enable Hospital Trusts to drive forward improvements in security where needed."
:: A previous version of this article said Derriford Hospital paid a ransom. This was incorrect. The hospital restored its system from a back-up, avoiding a ransom.
No comments:
Post a Comment