Every NHS trust assessed for cyber security vulnerabilities has failed to meet the standard required, civil servants have said for the first time.

In a parliamentary hearing on the WannaCry attack which disrupted parts of the NHS last year, Department of Health (DoH) officials said all 200 trusts had failed, despite increases in security provision.

The WannaCry attack that began on 12 May is believed to have infected machines at 81 health trusts – nearly a third of the 236 NHS trusts in England - plus computers at almost 600 GP surgeries, according to a National Audit Office (NAO) report released in October.

The National Cyber Security Centre [NCSC] has said it was “highly likely” the attack was carried out by a North Korea cyber organisation known as the Lazarus Group.

Rob Shaw, the NHS Digital deputy chief executive Rob Shaw said trusts were still failing to meet cyber security standards, admitting some have a “considerable amount” of work to do.

Appearing before the Commons’ public accounts committee, he said the department had completed 200 on-site assessments but none had matched the “high bar” set out by the national data guardian, Dame Fiona Caldicott.

“The amount of effort it takes from NHS Providers in such a complex estate to reach the cyber essentials plus standard that we assess against as per the recommendation in Dame Fiona Caldicott’s report, is quite a high bar. So some of them have failed purely on patching which is what the vulnerability was around WannaCry,” he said.

The NAO said the DoH was unable to give a cost for the impact of the outbreak and the full extent of the damage may never be known.



WannaCry was a type of malware known as a ransomware worm, capable of travelling from machine to machine directly, infecting new computers across corporate networks.

When it managed to infect a new machine, it first silently worked in the background to infiltrate itself within the operating system, then restarted the computer and began the process of encrypting the hard drive, rendering it impossible to read without the encryption key. Victims were offered the chance to buy the key for $300 (£214).

The NCSC did not release its findings, but other security researchers came to the same conclusion based on elements in the code of the program that were similar to known North Korean malware.

Simon Stevens, the chief executive of NHS England, told the meeting: “A whole bunch of things need to change.”

