Study: NHS ‘Remains Vulnerable’ To WannaCry-Style Cyber-Attacks

Researchers at Imperial College London have said that the NHS remains vulnerable to cyber-threats such as WannaCry, and called on it to take “urgent steps” to improve security.

The global WannaCry ransomware attack in May 2017 disrupted operations at around 34 NHS trusts, preventing staff from accessing patient data and carrying out critical services.

It is estimated to have cost the NHS around £92m in total, and in response the Department of Health and Social Care announced it would spend £150 million over the next three years to improve security.

The recently announced NHSX unit, which is overseeing digital transformation, is also tasked with clarifying security operations.

Vulnerability

But these measures, while important, do not go far enough and the NHS remains vulnerable due to out-dated computer systems, a continued lack of investment and a deficit of skills and awareness in cyber-security, researchers from Imperial College London’s Institute of Global Health Innovation said in a white paper presented last week in the House of Lords.

They said more investment is needed and recommended key measures including employing cyber security professionals in IT teams, building “fire-breaks” into systems to allow for the isolation of certain segments of the structure in the event of an attack or virus infection, and instituting clear communications systems to that staff know where to get help and advice on cyber security.

New technologies are being used in health systems, including robotics, artificial intelligence, implantable medical devices and personalised medicines based on a patient’s genes, and the report’s authors said security must be designed into these technologies from the beginning.

“For the safety of patients, it is critical to ensure that the data, devices and systems that uphold our NHS and therefore our nation’s health are secure,” said Professor the Lord Ara Darzi, co-director of the IGHI and lead author of the study.

‘Looming threat’

“This report highlights weaknesses that compromise patient safety and the integrity of health systems, so we are calling for greater investment in research to learn how we can better mitigate against the looming threats of cyber-attacks.”

Co-author Dr Saira Ghafur said awareness of cyber-attacks has increased since WannaCry, but that further initiatives were needed.

“Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure,” Ghafur said.

NHSX said the NHS was “determined” to keep its systems safe from cyber-attacks.

“There is still much to do, which is why an extra £150m is boosting hospital defences alongside a national deal on Microsoft licences,” the organisatio said in a statement.

“NHSX will be setting national strategy and mandating cyber security standards so that local NHS and social care systems have security designed in from the start.”