If NHS cybersecurity keeps being treated like an IT problem, patients will die
I’m a cyberattack simulation specialist - If NHS cybersecurity isn’t prioritised, more people could die.
Listen to this article
A new NHS screening platform will unite the NHS’ computer systems through the cloud, to allow for faster diagnosis of chronic diseases like diabetes and cancer.
Technological advancements like these are at the centre of the government’s 10 year ‘Fit for the Future’ health plan, which promises to upgrade the NHS from ‘analogue to digital’.
But that upgrade comes with major risks: the more the NHS is connected and online, the more opportunities and weak points there are for cyberattackers to exploit, and, once they’re in, the more damage they can do.
The word ‘cybersecurity’ doesn’t appear once in the government’s 171 page ‘fit for the future’ NHS plan. Going forward the government has to stop treating cyberattacks like an IT issue, and start treating them like what they are - a fundamental threat to patient health.
That’s not to say this NHS upgrade shouldn’t take place - it is necessary and presents countless opportunities - but right now the level of protection the NHS has is shockingly inadequate relative to the potential consequences of a major attack like 2017’s catastrophic Wannacry incident.
This is especially pertinent when one of the government’s ambitions is to better leverage the NHS’ resource of ‘world-class data’.
Over the past 12 months, we’ve seen numerous cyberattacks on both civilian and government systems, with the NHS a particular focus: In November last year Alder Hey revealed it had experienced a data breach after a ransomware attack.
Just three months later, a major provider of NHS services in Kent and Surrey revealed a similar breach. Another three months later, the data of two NHS trusts was exposed as part of a cyberattack that leveraged a tool used to manage employee mobile devices.
And of course there was the hack of Synnovis, an agency that manages labs for the NHS. The ransomware attack severely disrupted care at a large number of hospitals and care providers, harmed around 200 patients and led to the death of one.
These attacks aren’t just inconvenient or disruptive, they’re deadly, especially for a health service already in critical condition.
The difficulty in protecting the NHS from a cybersecurity perspective is that it’s a mind-bogglingly large and complex organisation. Its byzantine nature makes covering all of its vulnerabilities an unprecedented challenge.
As the above examples show, a lot of the successful attacks on the service are through third-party software or private providers. Earlier this year an NHS software provider was fined for a 2022 breach that put the personal info of almost 80,000 people at risk and disrupted critical services like NHS 111.
The Information Commissioner issued the fine because appropriate security measures were not in place at the provider.
This highlights part of the problem: the vast web of interconnected services provided by the NHS and its 1.5 million employees (making one of the world’s top 10 largest employers), supported by 53,000 private contracts, is incredibly tricky to draw a protective ring around.
As I’ve been writing this piece a trust has apologised for a data breach at a wheelchair firm that exposed NHS personal data.
Beyond that, since the pandemic NHS trusts, like so many other workplaces have relaxed their policy on working from home. With potentially hundreds of thousands of employees doing their jobs remotely it again increases the number of potential vulnerabilities.
Patients also access the NHS more and more through digital means: Over 40 million people now have an NHS login and over 50% of social care providers now use a digital social care record.
Even the NHS’ own employees are aware of its vulnerability and the government’s failure to protect it. Research from BT found that just 36% of staff believe current cybersecurity measures are enough. J
ust 42% believe systems are robust enough to safeguard sensitive personal data. Considering health data can be some of the most private and personal we have as people, it’s a staggering revelation that less than half of staff believe that information is safe.
So what can the government do to protect itself as it takes the inevitable step of bringing its infrastructure into the present?
Well some small but positive steps are already being taken. NHS England has introduced a new Cyber Security Charter, outlining standards that suppliers are expected to meet including basic measures like staying up to date with updates, implementing multi-factor authentication, and having a board-level plan to ensure a swift response to cyberattacks.
It also now requires trusts to follow a set of guidelines laid out by the National Cybersecurity Centre, which covers all aspects of cybersecurity and is aimed at improving future resilience.
It’s also constructive that, following the ransomware attacks listed earlier, the government is banning public bodies from paying out ransoms to hackers.
A positive step, although its effectiveness can only go so far while private bodies are still able to pay out to hackers, even if they have to inform the government first.
But these amount to small tweaks when compared to what’s needed. On top of ensuring minimum cybersecurity standards among providers and trusts there needs to be a more concerted effort to understand the NHS’ interconnectedness and its interdependencies, a better understanding of the evolving nature of cyberattacks and there needs to be stronger focus on human training to lower the risk of human vulnerability and embed a culture of risk awareness across the service.
Furthermore, in my experience the easiest way to see where the holes are in a large and complex system is to run cyberattack simulations to identify the paths of least resistance.
As I said at the start, this can’t just be treated like an IT issue, it needs to be treated as fundamental to patient care. The NHS serves 1.6million people daily and holds data on almost every person in the country.
Both workers and patients rely on quick, accurate data in the form of things like medical records and test results. Its effective functioning is quite literally a matter of life and death.
The scale of security must meet the scale of the threat and potential consequences.
___________________
Joe Jones is a cybersecurity expert and CEO & co-founder of cybersecurity firm Pistachio
LBC Opinion provides a platform for diverse opinions on current affairs and matters of public interest.
The views expressed are those of the authors and do not necessarily reflect the official LBC position.
To contact us email opinion@lbc.co.uk