The vulnerability is down to a number of reasons, according to the whitepaper, which also said that urgent steps are needed to defend against threats which could risk the safety of patients.
Cybersecurity in the NHS has been a concern for many years now. In December 2018 freedom of information requests by Redscan revealed that nearly a quarter of NHS trusts have no employees with security qualifications. And a quarter of NHS trusts spend a penny on cyber-security training.
The new whitepaper, written by researchers from Imperial College London’s Institute of Global Health Innovation led by Professor the Lord Ara Darzi, has suggested three main reasons as to why the NHS remains vulnerable to hackers.
This includes the NHS having a combination of out-dated computer systems, lack of investment, and a deficit of skills and awareness in cyber security.
The research team also said that more investment is urgently needed, and that NHS trusts must employing cyber security professionals in their IT teams.
Trusts also need to build ‘fire-breaks’ into their systems to allow certain segments to become isolated if infected.
It should be remembered that NHS trusts were badly affected by the WannaCry ransomware that spread rapidly through computer systems around the world in May 2017.
“We are in the midst of a technological revolution that is transforming the way we deliver and receive care,” said Lord Darzi, Co-Director of the Institute of Global Health Innovation (IGHI). “But as we become increasingly reliant on technology in healthcare, we must address the emerging challenges that arise in parallel. For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure.”
“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks,” said Lord Darzi.
Security experts were also quick to comment on the state of cybersecurity within the NHS.
“Ever since Wannacry impacted the NHS, there has been an increased awareness of the lack of security funding the NHS technology systems have received over the years with many systems being out of support and, in many cases, full inventory not known,” said Javvad Malik, security awareness advocate at KnowBe4.
“Fixing such a large infrastructure is no easy task and it’s not an issue that can be resolved simply by throwing money at the problem,” said Malik. “Rather, this is an instance where we see an organisation that has neglected its security culture for a long period of time. Therefore, addressing the security culture is where efforts should begin.”
“That doesn’t mean making security issues black and white or introducing friction into processes which could end up adversely impacting patient safety,” he added. “It means creating an environment and technology choices that encourage and push towards better security and risk decisions being made both from the medical staff on the front lines and all the back end support.”
Another expert warned that the NHS has to come to the realisation that data breaches will happen in the future.
“Anything that is online is essentially fallible to breach, including backup and data stores. The first rule of cybersecurity is to accept that a breach is likely and not live with the idea that you’re infallible,” said John Gillan, UK Country Manager of Cohesity.
“There are things organisations of all sizes can do though to put up a strong fight,” said Gillan. “Step one is widespread employee training to help them understand the telltale signs that an email or a link is not right. Best practice around using USBs, connecting personal devices, and use of personal email on work devices is also critical. The majority of security breaches are still down to human error.”
“Technology can play a key part in a security defence, obviously so,” he said. “But if employees are making basic mistakes, the technology aspect is always going to be on the backfoot.”
Another expert pointed out that healthcare entities are often viewed as soft targets.
“Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT,” explained Anna Russell, VP at comforte AG.
“The NHS must surely have an enormous treasure of sensitive data, so besides improving their perimeter defense, they should explore a data-centric security approach,” said Russell. “That way, they could pro-actively protect their data against breaches instead of playing constant catch up in terms of addressing the many different root causes that can lead to cyber incidents.”
Do you think it's important to invest in a safer HNS?