UK’s health service needs to beef up cybersecurity

Two years on from the WannaCry attack that paralyzed computer networks worldwide, the UK’s National Health Service (NHS) is still highly vulnerable to cyber-attacks.

This is according to a new white paper presented at the House of Lords last week, produced by researchers from Imperial College London.

The paper highlights outdated systems, a lack of technical expertise, and a lack of funding as contributors to the state of security across the state health service.

Importantly, it says, the NHS has become “completely reliant on third parties to store and protect their data” – and is not adequately monitoring their work.

“Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased.

“However, we still need further initiatives and awareness, and improved cybersecurity ‘hygiene’ to counteract the clear and present danger these incidents represent,” says Dr Saira Ghafur, lead author of the report.

“The effects of these attacks can be far-reaching – from doctors being unable to access patients test results or scans, as we saw in WannaCry, to hackers gaining access to personal information, or even tampering with a person’s medical record.”

The report calls for more security experts to be employed, and for security tools such as firewalls to be widely adopted.

It advocates a security-by-design approach for emerging technologies such as robotics, AI, implantable medical devices, and personalized medicine.

Late last year, freedom of information requests submitted by threat detection and response firm Redscan revealed that, on average, NHS trusts had just one member of staff with professional security credentials. Some had none at all.

“The Imperial College London report echoes our belief that there is still a lack of investment in security, [with] regards to technology, training, and, most importantly, skills,” Redscan CTO Mark Nicholls tells The Daily Swig.

“There is a global cybersecurity skills crisis – and the NHS is not the only organization affected – but individual trusts don’t have the budget to compete for the best security talent when compared to the private sector.

“The public sector must therefore do more to invest in and nurture talent from within.”

There’s also the question of overall funding. IT investment in the NHS, the white paper points out, is running at just 1-2% of total operating costs – half the amount generally seen in the private sector. As a result, antiquated technology is widespread.

“Were security adequately prioritized, these systems would have been updated over time as they reached end of life,” says Nicholls.

“An overhaul is now needed to update these systems across the country, the cost of which will be huge – but nothing compared to the cost of another WannaCry-level attack.”

WannaCry cost the NHS around £72 million ($90 million) in IT support, plus another £20 million ($25 million) in lost output.

The government has since announced plans to spend £150 million ($187 million) on cybersecurity over the next three years.

Earlier this year, a new joint unit known as NHSX was revealed to be working on the health service’s digital transformation.

RELATED Cybersecurity triage: NHS moves to prevent the next WannaCry