The recent ransomware attack on the NHS and over 30,000 companies globally has brought cyber risk to the top of the risk and news agenda. While the impact has been felt beyond the health sector, there are a number of lessons the sector draw from it, according to Chair of the Health and Care Sector Interest Group at the London-based Institute of Risk Management, Patrick Keady.

“The NHS is unusual because it has so few people with the skills to fundamentally understand risk across the enterprise. While the NHS in England employs 1,300,000 workers, it has just 27 partially/fully trained and experienced enterprise risk managers,” he said. “At the same time, it is reassuring that most of the NHS organisations affected by Wanna Decryptor, say they have plans in place to react to the impact of the malware.”

Keady says it has long been known that increasing amounts of IT software and hardware used in the NHS are out-of-date and no longer supported by their manufacturers. “NHS bosses really do need to take major steps now, to prevent similar episodes and the accompanying disruption to patient services,” he added.

Keady undertook research into current risk registers of the 34 NHS Trusts and Clinical Commissioning Groups reported to have been affected by the cyber attack. He undertook a deep-dive of 8,500+ pages of board papers at the 34 organisations affected. In his view, the 34 NHS Board papers are overcrowded with information – with one set of board papers exceeding 400 pages.

His main findings from the 34 organisations were that:
• 10 organisations publish Risk Registers online.
• 13 publish Board Assurance Frameworks online (this requirement was introduced by New Labour circa 2004).
• Nine do not publish risk registers or board assurance frameworks online.
• Two Trust websites were offline yesterday.

Keady singled out Mid-Essex Hospital Services NHS Trust, the only Trust to mention cyber security in their Board Assurance Framework.

“Risks in almost all of the 34 organisations affected on Friday, are generally ill defined and do not relate to the organisations’ strategic objectives. Instead they tend to refer to operational programmes and targets will be achieved or not,” he added.

Share Story: