The National Health Service might be at risk of cyber attacks, a new white paper on NHS cybersecurity has said.
Written by researchers from Imperial College London’s Institute of Global Health Innovation, led by Professor Ara Darzi, the paper said urgent measures needed to be taken to defend against threats to patient safety.
The findings were presented on Tuesday at the House of Lords.
Based on recent cyber attacks on healthcare systems around the world, the report suggested that a combination of factors such as outdated digital systems, a deficit of technical knowledge and skills among staff, as well as a lack of financial strength to invest in better technology, are making NHS hospitals vulnerable.
The impact of a cyber attack could mean health care practitioners are not able to access patient data such as blood-groups, test results or x-rays, the report said.
NHS hospitals found themselves in this situation in 2017 when they were hit by the global WannaCry ransomware attack. Some NHS services had to turn away non-critical emergencies, while some ambulances had to be diverted.
"Pretty much everything is digital in healthcare. Even after a week after the WannaCry attack, many appointments were cancelled. At the end of the day, any limitation in care will have an impact," Dr Saira Ghafur, lead author of the report, told Euronews.
What's more, patient data can be stolen. Insurance records in hospital systems also bring a financial dimension to the hacking.
There is no definite and known motivation for hackers. Some could be amateurs doing it for entertainment, others could have more sinister interests, according to Dr Ghafur.
While the impact of WannaCry was exponential, it could have been worse, researchers warned. The threat to patients would have been even greater if data had been subtly manipulated — like changing a patient’s blood type in the Electronic Health Record, without being detected.
NHS was not the main target of WannaCry but in 2018 hackers specifically targeted the Singapore healthcare group SingHealth and compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.
After the WannaCry attack, efforts have been made to improve the NHS’s responsiveness to cyber threats. "NHS Digital has been commissioned by the Department of Health to develop a Care Computer Emergency Response Team ... which (can) support stronger cybersecurity across health and social care," the report said.
However, the authors believe a lot more needs to be done for their systems to be foolproof.
Dr Ghafur added that the NHS last year struck a deal with Microsoft. "This will make sure all systems are updated appropriately and as needed," she told Euronews. The department plans to spend £150 million (€167 million) over the next three years to protect key services from the impact of cyber attacks.
In addition to securing hardware and software products, researchers called for a change in culture. "It's just not an IT problem. Everyone from the board to staff members should be made aware of cyber hygiene, such as not sharing passwords, not leaving computers unlocked, not emailing patient data to personal email addresses and so on. These simple measures could further avoid accidental compromise.
The authors of the report pointed out that security measures must be built into new medical technologies, such as robotics, artificial intelligence, implantable medical devices and personalised medicines based on a person’s genes.
The problem, Dr Ghafur stressed, is not limited to the NHS but extends to all health systems around the world. "What makes cyber attacks on hospitals different from say banks, for example, is that people's lives are involved," she said.
"We need to do everything we can to protect the safety and security of patients."