The NHS still remains vulnerable to cyber-attacks and must take "urgent steps" to protect itself, according to a whitepaper by Imperial College. Presented to the House of Lords on Tuesday, July 2, 2019, the paper suggests that a combination of out-dated computer systems, lack of investment, and a "deficit of skills and awareness in cybersecurity" are putting hospitals at risk.
The report, written by researchers from Imperial College London’s Institute of Global Health Innovation led by Professor the Lord Ara Darzi, collated evidence from NHS organizations and examples of previous attacks in the UK and across the globe. While the report commends existing measures put in place, it says more investment is urgently needed.
There are a number of key measures for NHS trusts to implement in order to increase cyber resilience, according to the research. These initiatives include "employing cybersecurity professionals in their IT teams, building ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected with a computer virus, and having clear communication systems so staff know where to get help and advice on cybersecurity."
The authors also point to the number of new technologies being used in the health system, such as robotics, artificial intelligence, implantable medical devices and personalized medicines based on a person’s genes, and say scientists must build security into the design of these technologies.
“We are in the midst of a technological revolution that is transforming the way we deliver and receive care," says Lord Darzi, co-director of the Institute of Global Health Innovation (IGHI). "But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel.
“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”
Cyber-attacks on the healthcare systems have increased in recent years. The global WannaCry attack in 2017, which took out 34 NHS trusts in the UK, cost the Department of Health and Social Care around £92 million. It resulted in thousands of appointments being cancelled, and in some cases patients were diverted to other hospitals.
The authors of the new report warn that while the WannaCry attack was relatively crude and unsophisticated, and while it wasn't unique to the NHS, they warn that the number and sophistication of attacks is rising.
Dr Saira Ghafur, lead author of the report from the IGHI, explains: “Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cybersecurity ‘hygiene’ to counteract the clear and present danger these incidents represent.
"The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”
In October 2018 the Department of Health and Social Care announced a spend of £150m over the next three years to protect key services from the threat of cyber-attacks. The department also recently announced the creation of a new unit called NHSX that will oversee digital transformation and it is hoped that this organization will help streamline cybersecurity accountabilities.