The NHS needs to toughen up its cyber security to face the prospect of growing threats, according to a new white paper from a UK university.
Imperial College London’s Institute of Global Health Innovation (IGHI) has sounded the warning in Improving Cyber Security in the NHS, based on evidence from NHS organisations and examples of previous attacks – the most high profile being the spread of the WannaCry virus that disrupted at least 81 out of England’s 236 NHS trusts in May 2017.
The paper says the NHS is vulnerable to due to a combination of outdated computer systems, lack of investment and a deficit of skills and awareness in cyber security.
Among the problems it identifies is the complexity of accountabilities for cyber security. For example, the National Cyber Security Centre (NCSC) receives information about a cyber attack from NHS Digital and the Department for Health and Social Care (DHSC), which can make the information transfer complex and cumbersome.
While there is a set of data security protection requirements for different networks, there are no detailed specifications. And while NHS Digital collects information on cyber incidents, it is not statistically evaluated to build an understanding of risks and threats.
The paper also points to emerging threats from new technologies such as the internet of things, connected medical devices, robotics and AI.
Need for new rules
In response, it produces a series of recommendations to strengthen cyber security in the health service. These include modifying procurement rules to prioritise the security and resilience of medical devices and creating new regulatory protocols.
There is also a need for a programme to incentivise the replacement of outdated and unsafe hardware and software in a targeted way, and to assess and catalogue any security flaws in devices.
This would be accompanied by the regular simulation of cyber security incidents and IT failures at local, regional and national levels, and developing a disaster recovery template.
Other recommendations include an expansion of the NHS Digital Data Security programme, and a mapping of interdependencies across the IT landscape. There is also a need for research into the development of future data architecture to restrict the possible damage from cyber attacks, and for a mandated framework for cyber security.
Dr Saira Ghafur, lead author of the report from the IGHI, said: “Since the WannaCry attack in 2017, awareness of cyber attack risk has significantly increased. However, we still need further initiatives and awareness, and improved cyber security hygiene to counteract the clear and present danger these incidents represent.
“The effects of these attacks can be far reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”
She acknowledged the DHSC’s pledge of £150 million over the next three years for cyber security, and its creation of NHSX with a brief that includes streamlining accountabilities in the field; but added that further investment and awareness is needed at all levels.
“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure,” she said. “Security needs to be factored into the design of digital tools and not be an afterthought.
“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”
The paper’s authors say the situation is not specific to the NHS and all healthcare systems around the world are vulnerable to cyber attack.
Image from BCS