A warning has been issued to the NHS that new investment is urgently required if the health system and patients are to be protected against the increased threat of cyber attacks.
Researchers from Imperial College London’s Institute of Global Health Innovation, led by Professor the Lord Ara Darzi, presented a new report to the House of Lords stating that a combination of out-dated computer systems, lack of investment, and a deficit of skills and awareness in cyber security is placing NHS hospitals at risk.
In 2017 the NHS was impacted hugely by the global WannaCry cyber attack, which saw 81 out of 236 Trusts impacted. A further 603 primary care and other NHS organisations were also affected.
WannaCry wasn’t a particularly sophisticated attack and could have been prevented by NHS organisations patching their Windows operating systems, or by managing their Internet-facing firewalls more effectively.
A National Audit Office investigation into the attack pointed to a shocking lack of insight and controls rom the Department of Health, as well as an unwillingness or inability from NHS Trusts to respond to central guidance and support.
The report out this week notes that a cyber attack on hospital computer systems can leave medical staff unable to access important patient details - such as blood test results or X-rays, meaning that they would be unable to offer appropriate and timely care. It notes that it can also prevent life-saving medical equipment or devices from working properly, and in some cases lead to patient data being stolen.
The research team behind the report collated evidence from NHS organisations and examples from previous attacks in the UK and across the globe. They commended existing measures put in place across the health system, but said that “more investment is urgently needed”.
The authors of the report also point to the number of new technologies being used across the NHS, such as robotics, artificial intelligence, implantable medical devices and personalised medicines based on a person’s genes. They urge scientists to build security into the design of these technologies.
Lord Darzi, Co-Director of the Institute of Global Health Innovation (IGHI), said:
We are in the midst of a technological revolution that is transforming the way we deliver and receive care. But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.
This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.
The report notes that the 2017 WannaCry attack on the NHS cost the health service an estimated £92 million. However, they add that the attack was “relatively crude and unsophisticated” - the implication being that the damage could be much worse given the number and sophistication of attacks on the NHS is rising.
In October 2018, the Department of Health and Social Care announced a spend of £150 million over the next three years to protect key services from the threat of cyber attacks. The Department also recently formed a new unit overseeing digital transformation, called NHSX, which is hoped will help streamline cyber security accountabilities.
The researchers recommend a number of initiatives that NHS Trusts should implement in order to increase cyber resilience, including: employing cyber security professionals in their IT teams, building ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cyber security.
Dr Saira Ghafur, lead author of the report from the IGHI, explained:
Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent. The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.
Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.
NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.