Despite attempts for improved security provision, the UK's Department of Health has admitted that all 200 NHS trusts assessed for cybersecurity vulnerabilities have failed to meet the standard required.
Civil servants revealed the news in a parliamentary hearing earlier this week, which heard of the effects of the WannaCry ransomware attack on parts of the NHS last year.
The malware affected 300,000 computers in 150 countries in May last year, including 48 NHS trusts, also shutting down multiple hospital IT systems as well as companies and universities elsewhere.
At the time, NHS Digital said the NHS itself was not specifically the target of the attack but part of a wider "Wanna Decryptor" ransomware campaign that was only thwarted when a security researcher discovered a 'kill switch' that stopped the attack in its tracks.
However, hospital trusts across England and Scotland admitted they'd been caught up in the attack, with appointments cancelled, phone lines down and ambulances diverted. Doctors and other staff had also been sharing further details on Twitter, with one screenshot suggesting the ransomware was demanding $300 in Bitcoin to decrypt files, with the price doubling after three days.
Appearing before the Commons' Public Accounts Committee on Monday, NHS Digital deputy chief executive Rob Shaw said trusts were still failing to meet cyber security standards since the WannaCry debacle, admitting some have a "considerable amount" of work to do.
"The amount of effort it takes from NHS providers in such a complex estate to reach the Cyber Essentials Plus standard that we assess against as per the recommendation in Dame Fiona Caldicott's report, is quite a high bar. So some of them have failed purely on patching, which is what the vulnerability was around WannaCry," he said.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Simon Stevens, the chief executive of NHS England, added: "A whole bunch of things need to change."
The total cost of the impact on the NHS is still unknown, as and may never be, attendees heard.
The UK's Foreign Office officially blamed North Korea for the WannaCry campaign in December, though the country's regime denies involvement.
Following WannaCry, officials set aside 20 million for the NHS to create a security centre designed to constantly probe the organisation's cyber defences using ethical hackers, as well as issuing best practice guidance around cybersecurity incidents.
The National Audit Office (NAO) slammed the NHS's security in October last year, saying "basic IT security" measures would have prevented WannaCry from causing the chaos it did.
"It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry so the department and the NHS need to get their act together to ensure the NHS is better protected against future attacks," said Amyas Morse, head of the NAO, at the time.