Recent cyberattacks show a consolidated effort is needed to prepare the NHS for any future cyber security incidents, writes European policy expert, Sarah Collen.
On 12 and 13 May, staff in a number of NHS organisations were greeted by a red screen saying their files – including patient medical records – had been encrypted.
The recent global cyberattack, using ransomware called WannaCry, infected 200,000 computers in at least 150 countries and exposed costly flaws in hospital IT systems.
The ensuing disruption of NHS services after the attack was particularly acute as patient records could not be accessed by hospitals and GPs, meaning that appointments and operations had to be cancelled and rescheduled, and patients transferred to hospitals that were not affected.
This is not the first time the NHS has been hit by cyberattacks.
In October last year, for example, the North Lincolnshire and Goole NHS FT shut down most of its network and cancelled appointments and routine surgery at three hospitals after a computer virus hit its IT system.
However, the cyberattack from 12 May was of unprecedented scale, bringing down interior ministry computers in Russia, railway ticket machines in Germany and parts of the FedEx network in the US.
Addressing the European Business Summit in Brussels recently, the UK’s European Commissioner responsible for security in the union, Julian King, said the attacks should serve as a wake-up call. "What was once the preserve of specialists is now the stock in trade of criminals and crooks who have the ability, as shown last week, to touch the lives of all of us."
The NHS is particularly vulnerable to cyber security incidents due to a number of reasons:
- The volume of information and the connection with patients means that the use of automation and IT is necessary – for the NHS, this means electronic patient health records, such as summary care records.
- The diverse nature of healthcare information systems enables different devices to access the internet, thus making them easy targets – nowadays, many medical devices run on the internet by communicating with servers. Furthermore, hospitals don’t buy new CAT scanners or MRI machines every three years, meaning much medical equipment is likely to run antiquated systems that are open to attack delivered through the internet.
- Many outdated applications and systems don’t include security as a priority – government guidance to NHS organisations is that they should move away from unsupported software such as Windows XP, but that is far easier said than done. Many machines that run XP do so because it can interface with older equipment. Developing new software or buying new machines running modern, less vulnerable software can cost thousands or millions of pounds. The reality is that investment in IT has frequently been deprioritised, and decisions around levels of IT investment are made all the more difficult with enormous pressure to reduce deficits.
Combining these reasons with the fact that a breach of security can impact large parts of the population means it is critical that the NHS increases its cyber security measures.
In July 2016, the European Union approved new legislation on cyber security, which EU member states will have to implement by May 2018 (the UK will still be a member of the EU).
This legislation identifies healthcare as an ‘essential service’ and requires healthcare providers to take “appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations.”
A lot of this chimes with recommendations of Dame Fiona Caldicott’s Review on data security, consent and opt-outs, so we could expect guidance on how to comply with this to be issued by government alongside this package of reforms.
The WannaCry cyberattack is the first time EU member states have shared information formally through the mechanism created to implement the new EU cyber security law.
Set up in 2004, ENISA, the EU Agency for Network and Information Security, acts as a shared knowledge base and works closely with member states and the private sector to deliver advice and solutions. It has produced recommendations and a technical note
on the WannaCry virus.
On the back of the attack, the EU is considering how to further improve the EU's resilience, response capacity and cooperation in this field, including by jointly working to improve criminal justice in cyberspace.
ENISA also brings together a technical group of eHealth security experts giving the agency the opportunity to listen to experiences, good practice and ideas. Participants of the group address important issues relating to the security and resilience of the eHealth systems and infrastructures.
ENISA has published two studies of particular interest to the NHS:
Both reports highlight the most important security challenges, crucial security requirements and identify relevant good practice. According to these publications, the risk posed by human error is as great, and perhaps even greater, than malicious actions.
The Wachter review on harnessing the power of health information technology in the NHS calls not only for the prioritisation of IT at both national and local level, but also recommends the development of the NHS workforce, including trained clinician informaticians in NHS trusts, giving them appropriate resources and authority.
With Brexit negotiations now underway between the UK government and EU negotiators, how closely the UK will seek to align itself to standards for cyber security and how far it will invest into shared agencies and knowledge sharing with European counterparts on this issue is unclear.
What is certain is that the recent attacks require a consolidated effort in preparing the NHS to face the challenges of future cyberattacks.
Sarah Collen is a senior policy manager at the NHS European Office, part of the NHS Confederation. Follow the organisation on Twitter @NHSConfed_EU
Like this post?
Share it on Twitter or leave a comment, below.