A combination of outdated computer systems, lack of investment, and a deficit of skills and awareness in cyber security is placing NHS hospitals at risk, researchers have warned.
A report from Imperial College London’s Institute of Global Health Innovation reveals that Britain’s National Health Service, which suffered greatly at the hands of WannaCry operators in 2017, is still ill-prepared for ongoing cyber-attacks.
The report says the attack was relatively crude and unsophisticated. Nevertheless, the Department of Health and Social Care said the infamous ransomware pandemic has cost the NHS an estimated £92 million (115 million USD / 102 million EUR). And the paper says the number and sophistication of attacks on the NHS is rising.
“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased,” Dr Saira Ghafur, lead author of the report from the IGHI, explained. “However we still need further initiatives and awareness, and improved cyber security ‘hygiene’ to counteract the clear and present danger these incidents represent. The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”
The Department of Health and Social Care announced in October 2018 it will spend £150 million over the next three years to safeguard key services against looming cyber-threats. As part of the initiative, a new unit overseeing digital transformation was created called NHSX. The department hopes the specialized cyber-unit will help streamline accountabilities.
However, even with increased spending and expertise, the NHS – and indeed many healthcare systems around the world – still harbor weaknesses that compromise patient safety.
For example, the authors point to the number of new technologies making their way into health systems, such as robotics, AI, implantable and / or connected medical devices, personalized medicine based on a patient’s genes, and more. These technologies must be designed with security in mind. To that extent, further investment and awareness is required at all levels of the already-stretched health system, researchers said.
“We are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks,” the report said.
“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure,” said Dr Ghafur. “Security needs to be factored into the design of digital tools and not be an afterthought.”
Selling stolen patient records on the underground web has become a lucrative business, making the healthcare sector an attractive target for bad actors in recent years. The imminent threat of a breach has led to the emergence of specialized prevention solutions, such as Network Traffic Analytics, that detect potential cyber-attacks in transit, before the attackers can reach actual endpoints. NTA technology has also emerged as an effective solution to combat attacks on connected and smart devices, which often lack proper safeguards against external threats, as well as to counter insider threats, such as negligent staff or employees with malicious intent.