It’s a year since the NHS was disrupted by a cyber-attack that impacted patient care and left medical staff being forced to revert to pen and paper instead of using digital records.
The ransomware attack — which targeted an NHS software and services provider — was first spotted at the beginning of August 2022.
It rumbled on for weeks, disrupting systems including the software used for patient check-ins, medical notes, and the NHS 111 service.
In March 2023 — with the memory of the cyber-attack still fresh — the UK government announced new plans to promote better cyber resilience across the health and care sectors by 2030 in a bid to better protect services and patients.
The new strategy set out five key ways to build cyber resilience including identifying areas where disruption would cause the most significant harm to patients and embedding security into the framework of emerging technology.
A full implementation plan is expected to be published later this summer.
Government proposes new NHS cyber resilience strategy
What is known, however, is that the NHS is to work more closely with national cyber security teams to help deliver the strategy.
This work will include enhancing the NHS England Cyber Security Operations Centre (CSOC), publishing a comprehensive and data-led landscape review of cyber security in adult social care, and updating the Data Security and Protection Toolkit (DSPT) to empower organisations to own their cyber risk.
Speaking at the time, Health Minister Lord Markham said: “We’re harnessing the power of technology to deliver better, safer care to people across the country — but at the same time it’s crucial we’re also bolstering the defences of our health and care services.
“This new strategy will be instrumental to ensure every organisation in health and adult social care is set up to meet the challenges of the future.
“This is an important step to ensure we’re building an NHS which is sustainable and fit for the future, with patients at the centre,” he said.
How realistic is this goal and what could stand in the way?
While the announcement is to be applauded, healthcare — not just in the UK but across the globe — will continue to be targeted by cybercriminals because of the vast amount of data that hackers can potentially access.
A recent article by the Chartered Institute for IT (BCS) lists some of the “biggest healthcare cyber-attacks this decade.“
As the article makes clear, any breach can shut down hospital networks, leading to the cancellation of appointments and operations.
But it’s not just the inconvenience and potential knock-on effect to waiting lists.
The risk of losing patients’ personal and private data – from medical histories to national insurance numbers – is also significant.
Which is why when it comes to cyber security, the NHS faces three key challenges it must address.
Budget allocation
It doesn’t matter what line of business you’re in — whether it’s retail, logistics or healthcare — any security breach has financial repercussions.
For patients to remain confident that their data is secure, they need to be sure that hospitals are investing in security systems to keep hackers out.
In a landscape where budgets are tight, this is easier said than done.
Training staff on cyber skills
Staff training is key to IT security.
To ensure that team members are not a weak link, training needs to be baked into induction programmes from day one so that staff have — at the very least — a basic cybersecurity awareness.
That training must include the importance of creating strong passwords and the need to be wary of strange email links.
What’s more, staff need to be reminded regularly of their cyber security obligations.
Endpoint exposure
One of the biggest security threats to the NHS is the number of endpoints within hospitals, surgeries, and other healthcare facilities.
This can include everything from PCs, tablets, and printers to Internet of Things (IoT) healthcare devices and even life support machines.
Without proper network visibility and protection, each device represents a potential vulnerability.
Arguably, this is the biggest challenge facing the NHS. But with the right tools, it can also be the simplest to resolve.
With so much pressure on healthcare services — and with waiting lists hitting record highs — NHS budgets are being squeezed like never before.
Which is why some people may question why money should be spent on data security rather than frontline healthcare.
The answer, though, is simple. Last year’s attack on the NHS was not a one-off.
At the end of June 2023, it was reported that more than 70TB of sensitive data — including resumés and financial reports — may have been stolen from the Barts Health NHS Trust in London after falling victim to a Russian ransomware gang called BlackCat.
While in the same month, the Independent reported that the personal details of more than a million patients — from across 200 hospitals — may have been leaked as part of a cyberattack at the University of Manchester.
What both these attacks reveal — along with the one last year — is that the NHS and patient data is a lucrative hunting ground for cybercriminals.
Theft of data is bad enough.
But when it leads to services being interrupted — as happened to the NHS last year — it’s incumbent on all concerned to redouble their efforts to tighten security at all levels.
