Two years after being badly hobbled by the WannaCryptor (aka WannaCry) outbreak, the United Kingdom’s National Health Service (NHS) still has a lot of work to do to avoid another crippling cyber-incident, according to a white paper from the Institute of Global Health Innovation at Imperial College London.
A trio of problems – outdated computer systems, underinvestment in cybersecurity, and a shortage of cybersecurity awareness and skills – put the institution and the safety of its patients at risk. The white paper was presented at the House of Lords yesterday.
“A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details – such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care. It can also prevent life-saving medical equipment or devices from working properly, and in some cases lead to patient data being stolen,” reads a dire warning from the experts.
They also highlight risks associated with the use of new technologies in the healthcare system, including “robotics, artificial intelligence, implantable medical devices and personalized medicines based on a person’s genes”, and call for security to be built into the design of these technologies.
Then there is of course the need to manage third-party risk, as reliance on external IT service providers may leave patient data vulnerable to theft and exploitation.
Says ESET cybersecurity specialist Jake Moore: “More and more third-party technology firms are brought into helping government organizations with their day-to-day work as outsourcing is seen as a cheaper option. However, when such third-party operations are chosen, the main reason can sometimes be on cost alone, which can inevitably put security and protection of the systems lower down the priority list”.
“To see the NHS attacked again would be a disaster; therefore, protecting confidential health data on its patients should be seen as priority number one whatever the cost,” he added.
Way to go
The white paper acknowledged work that is being done across the healthcare system to boost its cyber-preparedness, including a plan announced by the Department of Health and Social Care in October 2018 to spend £150 million (US$188 million) over the next three years to bolster the NHS’s cyber-preparedness.
Having said that, the document also says that additional investments are urgently needed and suggests more measures for NHS organizations to put in place with an eye towards improving their ability to fend off cyberattacks.
Among other things, it urges the NHS to hire cybersecurity professionals, ensure that staff know where they can ask for help and guidance on IT security, and implement network segmentation and segregation strategies to stop potential threats from spreading further and limit the damage.
WannaCryptor cost the NHS £92 million ($115 million).