NHS ignore IT Security recommendations despite WannaCry attack

The NHS’s IT governing body is refusing to invest in cybersecurity protection as it does not represent value for money. According to the Health Service Journal, NHS Digital is set to ignore the recommendations laid out in a government-sanctioned report authored by its own CIO due to the costs being too high.


Commenting on the news is Javvad Malik, security advocate at AlienVault:

Many of the reports issued, or guidance offered by independent professionals to any organisation are generally broad and don’t take into consideration the individual business, technological, and economic factors that affect individual organisations.


It would be wrong to say that the NHS has outright refused to implement the suggestions of the ICO in terms of improving security. Rather, that to implement each control as specified would be cost-prohibitive, and that the NHS will implement security controls in a manner that is in line with its budget and priorities.


It is also worthwhile bearing in mind that organisations that invest more in security don’t necessarily achieve better outcomes, as presented in the recent AT&T Business Cybersecurity Insight report vol.8