Each of the 200 NHS trusts tested for cyber security resilience has failed the test, MPs were told yesterday.

Speaking to the Public Accounts Committee, NHS Digital’s Rob Shaw said that while some trusts are close to satisfying the requirements, others have a considerable amount of work still to do.

“The amount of effort it takes for NHS providers in such a complex estate to reach the cyber essential plus standard that we assess against is quite a high bar,” he said. “Some of them have failed purely on patching, which is what the vulnerability was around Wannacry.”

The assessments began before the WannaCry attack paralysed parts of the NHS and thousands of other organisations in May last year. A further 36 trusts are yet to be assessed.

The “relatively unsophisticated” ransomware led to the cancellation of an estimated 19,500 appointments across 81 trusts in England, a National Audit Office’s (NAO) report revealed last year.

The report concluded that the strike could have been prevented if hospital trusts had taken basic steps to secure their IT systems.

Amyas Morse, head of the NAO, warned that “there are more sophisticated cyber attacks out there” and that the Department for Health and the NHS “need to get their act together”.

The report highlights that while the Department for Health had written to trusts in 2014 to urge them to update old software, it had no formal mechanism for checking that they had done so.