The NHS remains vulnerable to cyber-attack, and must take urgent steps to defend against threats which could risk the safety of patients, says a report, written by researchers from Imperial College London’s Institute of Global Health Innovation led by Professor the Lord Ara Darzi.
Lord Darzi, Co-Director of the Institute (IGHI), said: “We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.
“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”
Healthcare systems in recent years have faced cyber-attack, including WannaCry in 2017 where a computer virus prevented staff in around 34 NHS trusts from accessing patient data and critical services. Thousands of appointments were cancelled, and in some cases patients sent to other hospitals. The total cost of the attack to the NHS was estimated by the Department of Health and Social Care at around £92m.
The report authors warn that WannaCry was relatively crude and unsophisticated – and that the number and sophistication of attacks on the NHS is rising. The report suggests employing cyber security people in IT teams, building ‘fire-breaks’ into IT systems to allow segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cyber.
Dr Saira Ghafur, lead author of the report, said: “Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent. The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.
“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought. NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”
Comment
Jake Moore, Cybersecurity Specialist at the cybersecurity firm, ESET, said: “In the wake of WannaCry, which attacked many organisations including the NHS, you’d think the security in place would have been stepped up to maximum strength. But the truth is that sensitive data of this magnitude will always carry a high level of risk and attract criminal attention. More and more third party technology firms are brought into helping government organisations with their day to day work as outsourcing is seen as a cheaper option. However, when such third party operations are chosen, the main reason can sometimes be on cost alone which can inevitably put security and protection of the systems lower down the priority list. To see the NHS attacked again would be a disaster therefore protecting confidential health data on its patients should be seen as priority number one whatever the cost.”
