A mere one of the NHS’s 200+ trusts has passed the government’s “Cyber Essentials Plus” test, according to a worrying new audit report.

The National Audit Office (NAO) report reveals that of the 204 trusts that had mandatory on-site cybersecurity inspections, only one got the full pass mark required for “Cyber Essentials Plus” accreditation.

See also: The UK’s Newly Streamlined “Cyber Essentials” 

To get the NCSC-backed certificate, organisations need a 100 percent pass mark against a range of security tests, including an external vulnerability assessment, an internal scan and an on-site assessment.

These check access control, firewall configurations and patch management processes, among a range of other factors.

Most trusts didn’t come close to a clean sheet.

NHS Trusts Cybersecurity Tests: Scores Ring Alarm Bells

“The average score across the trusts was 63 percent”, the NAO report, published late Friday, notes.

“However, NHSX and NHS Digital consider some trusts have reached an acceptable standard” it adds, saying that improvements have been made since the devastating 2017 WannaCry ransomware attack.

Security, however, “remains an area of concern.”

(Experts say the challenges of upgrading hardware still relying on legacy operational systems like XP, or software that is no longer produced/patched are huge in the NHS. Much of the affected equipment is vital to offering good healthcare and still functions perfectly well in a medical sense).

Interoperability Challenges Abound

The comments came as part of a broader investigation into the shape of NHS digitalisation.

The report also warns that the ambition to achieve IT systems and data interoperability  across the NHS “will be very challenging to fully achieve” in the absence of a “carefully considered plan with a realistic schedule”.

Previous attempt to implement standards, resulted in “the use of multiple standards or different versions of the same standard” it adds.

Computer Business Review is reminded of this XKCD cartoon…

The report also emphasised what the NAO sees as a “tension between the ambitions to achieve [inter-NHS trust] interoperability and the aim to increase the number of technology suppliers to the NHS.”

The comments came after policy makers moved to break the apparently stranglehold of just two IT suppliers on the GP systems market.

EMIS and TPP, it says, supplied around 95 percent of the GP market, in part owing to a procurement framework (“the GP Systems of Choice”) that meant buyers looking to update GPs’ clinical IT systems had the choice of just four IT systems that would then be funded by clinical commissioning groups.

That has now been replaced by a new framework (“GP IT Futures“) designed to offer more options for CIOs and their procurement teams. This includes 69 suppliers including seven offering core GP IT systems.

“NHSX and NHS Digital intend to use contractual frameworks to ensure all technology suppliers meet standards that will allow interoperability between IT systems, the National Audit Office notes, saying that “increasing the number of suppliers could make interoperability more difficult to achieve because there will be more system-to-system integrations required.”

The report’s authors add: “NHSX intends to address this problem by asking local organisations to build a ‘data layer’ to support data access and exchange across different systems (with the intention that these layers will eventually be linked). However, NHSX has not yet defined what work is needed to achieve this; our previous work shows that other parts of government found similar approaches to be expensive and problematic.

Among the other NAO concerns about NHS digitalisation are:

That NHSX — the organisation tasked with driving NHS digital transformation —  is “unclear about the whole-life costs and benefits” of the different
approaches to digital transformation at a local level.

Among the examples it offers are the choices that NHS organisations have when it comes to modernising electronic patient record systems to store and share information (systems central to digitalisation ambitions intended to make data sharable and updateable in real time).

As the NAO notes: “NHSX expects trusts to take one of three approaches
to developing a system consistent with national ambitions: to buy an enterprise-wide system; to integrate multiple record systems; or to build their own system…  But NHSX does not have comparable whole-life-cost information for the three approaches, nor does it know the hidden costs which trusts incur as a result of the inefficiencies of legacy IT systems.”

Read the full NAO report [pdf] here. 

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign