Further investment needed to defend NHS against growing cyber threats, researchers warn

A team from the Institute of Global Health Innovation at Imperial College London published a paper on NHS cybersecurity this week.
By Leontina Postelnicu
11:29 AM

With facilities around the world turning to technology in the hope of easing increasing pressures, healthcare is becoming a prime target for hackers.

Only last month, four hospitals in Romania were hit by cyberattacks, with the ransomware believed by experts to have spread through emails with infected attachments disguised as invoices and plane tickets, creating disruption and slowing down admissions and discharges.

Unless measures to strengthen cyber resilience are taken, this risk will only continue to grow, researchers from the Institute of Global Health Innovation (IGHI) at Imperial College London caution in a new paper that looked at the NHS in the UK, published this week.

WHY IT MATTERS

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks,” said Professor Lord Ara Darzi, former health minister and director of the IGHI.

Prioritising investment in cybersecurity is needed to ensure the NHS does not remain a “vulnerable target” for hackers, given the “highly heterogeneous and inconsistent” IT ecosystem, the researchers argue.

Even after the WannaCry attack, estimated by the Department of Health and Social Care to have cost the NHS £92m, there is no complete list outlining all hardware and software used across the NHS, leading to “a severe lack of visibility of NHS vulnerabilities”, according to the new paper.

The use of outdated systems, a “complex governance structure” and the lack of skills, with difficulties in recruiting highly-trained cybersecurity specialists, pose additional challenges.

“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased,” said Dr Saira Ghafur, lead author of the report. “However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent.

“The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record,” Dr Ghafur added.

ON THE RECORD

The beginning of July saw the NHSX unit be officially launched, and the Imperial team hopes this will “help streamline cybersecurity accountabilities” for the health service. 

An NHSX spokesperson told Healthcare IT News:

“The NHS is determined to keep its systems safe from cyber attack [sic] and every part of the NHS is given clear direction to protect their own systems and the information they hold whilst nationally cyber defences are in place, led by NHS Digital working closely with the National Cyber Security Centre.

“There is still much to do, which is why an extra £150m is boosting hospital defences alongside a national deal on Microsoft licences and NHSX will be setting national strategy and mandating cyber security standards so that local NHS and social care systems have security designed in from the start.”