NHS suffered more than 1,300 hours of downtime in the last three years, FOIs show

NHS Trusts across England experienced more than 1,300 hours' of downtime in the last three years, while a third of Trusts suffered a security breach.

Twenty-five of 80 NHS Trusts experienced the equivalent of 18 days of outage per year between January 2015 and February 2018, according to a Freedom of Information (FOI) survey submitted by specialist IT firm Intercity Technology, while a security breach was responsible for outages suffered by 14 of them.

Putting questions to 143 NHS Trusts in England, the company learned there had been 18 individual security breaches in that period, with one Trust suffering an average of one breach per year.

"NHS trusts across England are currently being pushed to the limit. It's not surprising that they often don't have the resources to dedicate 24/7 support to their IT systems, and the majority of these breaches could be an unfortunate consequence of this," said Intercity Technology's chief commercial officer Ian Jackson.

"Technology has proven to help facilitate the provision of care within the NHS, boost efficiencies and alleviate some of the strain on the system.

"However, if the benefits are to outweigh the potential risks, it's important to ensure that there are sufficient resources, whether in-house or external, to continuously monitor the network and address any issues before they impact daily activity."

Intercity Technology asked 143 NHS Trusts who was responsible for the security monitoring of their IT networks, how many times they had suffered a breach as a result of unpatched or outdated software, and whether they had suffered any downtime as a result of security issues, along with which parts of the IT infrastructure were affected, and for how long.

A handful of Trusts suffered an outage as a result of a security breach during this period cited the WanaCry ransomware attack as the main reason, while others responded saying they fell victim to the Locky and Zepto Viruses. The findings also showed that five trusts experienced downtime after they took their systems offline as a precaution after news of the WannaCry attack first broke.

Sharing specific details behind the outages, one Trust also outlined an issue in which an unauthorised device was plugged into a network which disrupted two wards last year, resulting in two hours' worth of time.

The company also learned that the overwhelming majority of NHS Trusts that suffered a blackout, 23 of the 25, relied on internally-based IT teams for the security monitoring of their networks.

A recent parliamentary report into the WannaCry attack found that not one NHS Trust had passed the minimum cyber security standards, in many cases because they had failed to apply critical patches to their systems.

Although some progress had been made since the ransomware wreaked havoc on NHS systems, including a nearly 200 million investment in improving the NHS' cyber security infrastructure, the report recommended further support and guidance must be offered to local healthcare organisations in pathing their systems, and that staffing plans must take into account the need to strengthen IT and cyber security teams.

In a bid resolve its longstanding security concerns, the Department for Health and Social Care (DHSC) earlier this year agreed on a deal with Microsoft to implement a long-awaited upgrade from legacy Windows operating systems to Windows 10 by 2020.

As part of the deal, NHS devices will be upgraded to Windows 10, with Microsoft pushing the latest security updates to NHS machines as soon as they become available. Trusts will be allowed to upgrade their devices free of charge if they join a special service being set up to manage the rollout.

NHS Digital and NHS England were approached for comment but did notrespondd at the time of writing.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.