The NHS remains vulnerable to cyber-attack, and must take urgent steps to defend against threats which could risk the safety of patients.
This is the finding of a new White Paper on NHS Cyber Security presented at the House of Lords.
For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure. Professor the Lord Ara Darzi Co-Director, Institute of Global Health Innovation
The report, written by researchers from Imperial College London’s Institute of Global Health Innovation led by Professor the Lord Ara Darzi, suggests a combination of out-dated computer systems, lack of investment, and a deficit of skills and awareness in cyber security is placing NHS hospitals at risk.
A cyber-attack on a hospital’s computer system can leave medical staff unable to access important patient details – such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care. It can also prevent life-saving medical equipment or devices from working properly, and in some cases lead to patient data being stolen.
The research team – who collated evidence for the report from NHS organisations and examples of previous attacks in the UK and across the globe – commend existing measures put in place across the health system, but say more investment is urgently needed.
The report outlines a number of key measures for NHS trusts to implement in order to increase cyber resilience. These initiatives include employing cyber security professionals in their IT teams, building ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cyber security.
The authors also point to the number of new technologies being used in the health system, such as robotics, artificial intelligence, implantable medical devices and personalised medicines based on a person’s genes, and say scientists must build security into the design of these technologies.
Lord Darzi, Co-Director of the Institute of Global Health Innovation (IGHI), said: “We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.
“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”
Building cyber resilience
Cyber-attacks occur when computer hackers attempt to damage, disrupt or gain unauthorised access to computer systems, networks or devices. The hackers’ aim can be to ask a ransom for stopping the attack or the return of personal data, or to maliciously disrupt a system. They use a number of tricks to gain access, such as attaching a computer virus to an email, or exploiting a vulnerability in a computer system.
There have been a spate of attacks on healthcare systems around the world in recent years – including the WannaCry attack in 2017 where a computer virus prevented staff in around 34 NHS trusts from accessing patient data and critical services. Thousands of appointments were cancelled, and in some cases patients were diverted to other hospitals. The total cost of the attack to the NHS has been estimated by the Department of Health and Social Care to be around £92m.
However, the authors of the new report warn the WannaCry attack was relatively crude and unsophisticated – and that the number and sophistication of attacks on the NHS is rising.
Dr Saira Ghafur, lead author of the report from the IGHI, explained: “Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent. The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”
The authors say the situation is not specific to the NHS and all healthcare systems around the world are vulnerable to cyber-attack, and highlight some UK initiatives to address the danger.
Cost of cyber-attacks
In October 2018 the Department of Health and Social Care announced a spend of £150m over the next three years to protect key services from the threat of cyber-attacks. The department also recently announced the creation of a new unit overseeing digital transformation, called NHSX, and it is hoped that this organisation will help streamline cyber security accountabilities.
However, further investment and awareness is required at all levels of the already stretched health system, explained Dr Ghafur:
“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.
“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”