NHS must spend now to prevent devastation of ‘WannaCry 2.0’

Positive moves are being made but they will count for nothing if a more sophisticated attack strikes

Cyber security skull

The government must urgently pump more money into cyber security within the NHS to plug gaps that render the healthcare system vulnerable to an attack more destructive than the WannaCry saga.

Although many positive steps have been taken since the 2017 attack, a lack of investment, a deficit of skills and awareness, and the use of out-dated systems are putting patients at risk, according to the white paper prepared by the Institute of Global Health Innovation (IGHI).

Advertisement - Article continues below

These key areas must be addressed urgently or the consequences will be "catastrophic" as the NHS increasingly relies on technology. 

"We are in the midst of a technological revolution that is transforming the way we deliver and receive care," said co-director for the IGHI Lord Darzi.

"But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation's health are secure.

"This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks."

Three key areas of weakness

Healthcare IT has suffered from 'chronic underspending' compared with other sectors, the report claimed, with NHS organisations spending 1-2% of running costs on IT services compared with 4-10% elsewhere. This underlines a desperate situation in which more funding is urgently needed.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

There is often a trade-off in all sectors when it comes to allocating funds, but the NHS generally does not see cyber security as a priority compared with other areas.

The IT landscape within the health sector, meanwhile, is inconsistent and patchy with several different networks and connections requiring different security approaches. It's not unusual, therefore, that old software is used as long as it is, the report found.

Critically, without asset inventories of what is on a network at any time, organisations may find themselves trying to patch "that which they don't know exists". This is because no cataloguing system exists to list all software and hardware deployed in the NHS.

Financial shortages are also leading to difficulties in hiring competent cyber security personnel given the large pay gaps between the public and private sector.

Next-gen health and social care

The report also highlighted a number of emerging technologies that can improve practices and standards across the NHS, including algorithmic decision-making and smart devices. But these simultaneously leave the health and social care sector more vulnerable to attack.

Advertisement - Article continues below

Electronic health records (EHRs), for example, will be the foundation of digital healthcare systems in future. But if the parameters for access and control for an individual are not configured properly, EHRs will be vulnerable to infiltration. The infrastructure for EHRs must provide secure flexibility so it can serve patients' needs while also speaking to a secure and hygienic data architecture.

Relying on third-parties to hold information in the cloud also comes with risks; namely, there is a spate of recorded incidents where data monitored by specialist third-party staff has been hacked and stolen. Moreover, despite NHS Digital guidance last year approving healthcare organisations' use of the cloud, the fragmented structure of the health service means it's proven difficult to adopt cloud computing on any meaningful scale.

Advertisement
Advertisement - Article continues below

Robotics can transform the delivery of care by carrying out repetitive tasks and aiding a human surgeon, meanwhile. Removing the human factor from decision-making entirely, however, may have implications for clinical liability and accountability, and the health service is not yet prepared to manage this safely and securely at scale.

Improving NHS cyber resilience

The risks aren't exclusive to the NHS, but all healthcare institutions across the world. A recent study, however, found the health sector is the fastest industry when it comes to addressing common software flaws.

Advertisement - Article continues below

Healthcare organisations took just six days to address a quarter of vulnerabilities in code, and just seven months to fix 75% of flaws. This is almost eight months faster than the average organisation, which takes 15 months.

In a positive light, the UK government has taken a number of steps to rectify the vulnerabilities exposed by the WannaCry attack over the last two years.

Systems are expected to transition to Windows 10 by the end of 2019, for example, after the NHS struck a deal with Microsoft to allow cost-free upgrades to Trusts that sign up to a special programme.

IBM was also recruited last July in a three-year deal worth 30 million which gives NHS Digital access to its advanced security services such as scanning and malware analysis.

But the landscape set out by the IGHI for the UK's NHS is relatively dire and points largely towards a lack of funding needed to truly boost cyber resilience. One year after WannaCry, for instance, not a single Trust passed the government's cyber security assessment.

Advertisement - Article continues below

"Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased," said the lead author of the report Dr Saira Ghafur.

"However we still need further initiatives and awareness, and improved cyber security 'hygiene' to counteract the clear and present danger these incidents represent.

"The effects of these attacks can be far-reaching - from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person's medical record."

An NHSX spokesperson said: "The NHS is determined to keep its systems safe from cyber attack and every part of the NHS is given clear direction to protect their own systems and the information they hold whilst nationally cyber defences are in place, led by NHS Digital working closely with the National Cyber Security Centre.

"There is still much to do, which is why an extra 150m is boosting hospital defences alongside a national deal on Microsoft licences and NHSX will be setting national strategy and mandating cyber security standards so that local NHS and social care systems have security designed in from the start."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/data-breaches/355173/marriott-hit-by-data-breach-exposing-personal-data-of-52-million
data breaches

Marriott data breach exposes personal data of 5.2 million guests

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020