NHS must spend now to prevent devastation of ‘WannaCry 2.0’

The government must urgently pump more money into cyber security within the NHS to plug gaps that render the healthcare system vulnerable to an attack more destructive than the WannaCry saga.

Although many positive steps have been taken since the 2017 attack, a lack of investment, a deficit of skills and awareness, and the use of out-dated systems are putting patients at risk, according to the white paper prepared by the Institute of Global Health Innovation (IGHI).

These key areas must be addressed urgently or the consequences will be "catastrophic" as the NHS increasingly relies on technology. 

"We are in the midst of a technological revolution that is transforming the way we deliver and receive care," said co-director for the IGHI Lord Darzi.

"But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation's health are secure.

"This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks."

Three key areas of weakness

Healthcare IT has suffered from 'chronic underspending' compared with other sectors, the report claimed, with NHS organisations spending 1-2% of running costs on IT services compared with 4-10% elsewhere. This underlines a desperate situation in which more funding is urgently needed.

There is often a trade-off in all sectors when it comes to allocating funds, but the NHS generally does not see cyber security as a priority compared with other areas.

The IT landscape within the health sector, meanwhile, is inconsistent and patchy with several different networks and connections requiring different security approaches. It's not unusual, therefore, that old software is used as long as it is, the report found.

Critically, without asset inventories of what is on a network at any time, organisations may find themselves trying to patch "that which they don't know exists". This is because no cataloguing system exists to list all software and hardware deployed in the NHS.

Financial shortages are also leading to difficulties in hiring competent cyber security personnel given the large pay gaps between the public and private sector.

Next-gen health and social care

The report also highlighted a number of emerging technologies that can improve practices and standards across the NHS, including algorithmic decision-making and smart devices. But these simultaneously leave the health and social care sector more vulnerable to attack.

Electronic health records (EHRs), for example, will be the foundation of digital healthcare systems in future. But if the parameters for access and control for an individual are not configured properly, EHRs will be vulnerable to infiltration. The infrastructure for EHRs must provide secure flexibility so it can serve patients' needs while also speaking to a secure and hygienic data architecture.

Relying on third-parties to hold information in the cloud also comes with risks; namely, there is a spate of recorded incidents where data monitored by specialist third-party staff has been hacked and stolen. Moreover, despite NHS Digital guidance last year approving healthcare organisations' use of the cloud, the fragmented structure of the health service means it's proven difficult to adopt cloud computing on any meaningful scale.

Robotics can transform the delivery of care by carrying out repetitive tasks and aiding a human surgeon, meanwhile. Removing the human factor from decision-making entirely, however, may have implications for clinical liability and accountability, and the health service is not yet prepared to manage this safely and securely at scale.

Improving NHS cyber resilience

The risks aren't exclusive to the NHS, but all healthcare institutions across the world. A recent study, however, found the health sector is the fastest industry when it comes to addressing common software flaws.

Healthcare organisations took just six days to address a quarter of vulnerabilities in code, and just seven months to fix 75% of flaws. This is almost eight months faster than the average organisation, which takes 15 months.

In a positive light, the UK government has taken a number of steps to rectify the vulnerabilities exposed by the WannaCry attack over the last two years.

Systems are expected to transition to Windows 10 by the end of 2019, for example, after the NHS struck a deal with Microsoft to allow cost-free upgrades to Trusts that sign up to a special programme.

IBM was also recruited last July in a three-year deal worth 30 million which gives NHS Digital access to its advanced security services such as scanning and malware analysis.

But the landscape set out by the IGHI for the UK's NHS is relatively dire and points largely towards a lack of funding needed to truly boost cyber resilience. One year after WannaCry, for instance, not a single Trust passed the government's cyber security assessment.

"Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased," said the lead author of the report Dr Saira Ghafur.

"However we still need further initiatives and awareness, and improved cyber security 'hygiene' to counteract the clear and present danger these incidents represent.

"The effects of these attacks can be far-reaching - from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person's medical record."

An NHSX spokesperson said: "The NHS is determined to keep its systems safe from cyber attack and every part of the NHS is given clear direction to protect their own systems and the information they hold whilst nationally cyber defences are in place, led by NHS Digital working closely with the National Cyber Security Centre.

"There is still much to do, which is why an extra 150m is boosting hospital defences alongside a national deal on Microsoft licences and NHSX will be setting national strategy and mandating cyber security standards so that local NHS and social care systems have security designed in from the start."