In July 2019, researchers from Imperial College London told the House of Lords that investment was “urgently needed” to better protect the NHS from cyber threats. This came just two years after the WannaCry ransomware virus blitzed through dozens of hospitals, locking down computers across the health service. This shutdown forced almost 20,000 hospital appointments to be cancelled, and cost roughly £92m in lost output and IT costs.
And due to the massive amounts of patient data held by the organisation, the stakes are incredibly high when there’s a risk of attack. Not only can cybercrimes lead to data being stolen, but staff may not be able to access the information required to offer proper care. What’s more, cybercrime can also prevent life-saving medical devices from working, with potentially devastating consequences. But what are the main cybersecurity concerns that the NHS needs to protect itself from?
1. Internet of Things (IoT) issues
The NHS has harnessed internet-enabled technology — known collectively as the Internet Of Things (or IoT) — in numerous ways. Examples include hospital beds which display patient information, smart insulin pens, and wearable asthma monitors. In fact, the global IoT healthcare market is predicted to be worth £413.41 billion by 2025.
However, since these devices run on the same internet connections as the computers themselves, IoT technology is susceptible to hacking, and individual medical devices are much more easily attacked than an entire hospital network. This has led cybercriminals to increasingly focus their efforts on infiltrating them instead.
The manufacture of all medical devices and equipment is “strictly regulated to ensure they conform to the expectations outlined by the EU Medical Device Regulation”, which stipulates that the benefits of these devices must “outweigh any risks, and perform as expected”. Minimising cybersecurity risks has been a key focus of that regulation, as confirmed by the EU Medical Device Coordination Group, and the legislation still applies even in the wake of Brexit.
Unfortunately, there remains a lack of understanding within the NHS about the risks associated with hacking IoT devices. In late 2018, researchers found that there was just one qualified security professional per 2,582 NHS employees, rendering many robustly manufactured IoT devices more vulnerable due to user issues like weak passwords and outdated software.
2. Malware threats
An investigation into the WannaCry attack revealed that the virus gained access to NHS computers as a result of unpatched or unsupported Windows operating systems. This allowed WannaCry to infect devices with ransomware (a type of malware), which encrypted all of the data they contained, and demanded payment in return for user access.
While there were protocols in place to help staff deal with this scenario, they had not been rehearsed, which made the response to the attack far less efficient than it could have been. As such, the NHS were very lucky it took place on a quiet Friday.
Ransomware — and malware in general — still poses a huge threat, even though a Comparitech study showed there have since been just six similar attacks on the NHS in the wake of WannaCry. However, as noted by Computer Weekly writer Alex Scroxton, many healthcare trusts fail to submit cybersecurity data, which means the number of attacks could be much higher than what’s on record.
In addition, the average attack left the NHS out of action for 25 hours, which is a worryingly long time in the healthcare sector. And with malware the cause of almost half of cybersecurity incidents suffered by UK health companies in 2019, the NHS still has more to do to protect itself. However, recent measures have offered a good start, such as offering cyber awareness training to staff, teaming up with tech giant IBM to enhance the organisation’s Cyber Security Operations Centre, and upgrading network computers to Windows 10.
3. Supply chain problems
One of the main cybersecurity threats facing the NHS doesn’t actually involve hospitals themselves. Cybercriminals are also exploiting weaknesses in third-party vendors, or any partners with systems connected to the hospitals, such as those in the supply chain. This threat looms large across all sectors, with the most recent statistics showing a worrying 78% rise in supply chain attacks during 2018.
In the NHS specifically, these often occur when cybercriminals intercept a supplier’s delivery, and introduce malicious code directly into medical devices without anybody knowing. However, security company Orpheus also found issues with third-party databases, including the astonishing fact that 95% of NHS suppliers lack advanced email security measures, putting data at risk.
To the NHS’s credit, it has recognised the seriousness of supply chain frailties, rolling out a new procurement platform called The Edge4Health. This allows suppliers to examine and improve cybersecurity measures, with a clear dial showing whether their activities are good, average or bad. They can then download a report outlining specific threats, and informing them of how they can reduce vulnerabilities. While clearly a positive step forward for the NHS, The Edge4Health was only introduced in February 2020, so the long term impact of this software still remains to be seen.