Cyber security and health organisations

Back in May, the WannaCry virus must have left many in the NHS wanting to cry. The irony is that it has now become clear that the disruption could have been prevented had the NHS simply followed basic security measures.

It has emerged that, back in 2014, the Department of Health and Cabinet Office contacted NHS trusts to advise them that they needed to have “robust plans” in place to migrate from outdated software such as Windows XP by April 2015.

To put this into perspective, Windows XP was launched in 2001, its mainstream support period ended in 2009 and all support ended in April 2014 (with the exception of “critical patches” made available to customers on a paid support plan).

It appears, however, that nobody bothered to check that the various trusts had undertaken their migrations and the events of May 2017 made it clear that, in spite of all warnings, many NHS computers were still running Windows XP and that the NHS, in general, needed to do a whole lot more to bring its IT security practices into line with the demands of the 21st century.

The NHS is a huge organisation but it is not the only one threatened with cyber attacks. Smaller, private healthcare companies and health-related charities must also take steps to ensure that their customers’ or patients’ data is absolutely secure, and that they can continue to run their organisations in the event of an attack. Specialised IT security support is an essential investment to stay on top of the new and emerging threats faced by organisations in the modern world.

As is often the case, the event that hit the headlines is not necessarily the one that people should be most worried about. WannaCry certainly caused unprecedented disruption, with thousands of appointments being cancelled and all that implies but, according to the NHS, no patient data was compromised; a huge relief given the sort of personal data the NHS holds.

What may be less widely known, but arguably of even more concern, is the fact that a Freedom of Information request has made it public that almost a third of NHS trusts have been hit with at least one ransomware attack, with Imperial College Healthcare in London suffering no less than 19 attacks in the space of a year. According to the FoI request, none of these trusts paid the requested ransom, but none
informed the police either, preferring to deal with the matter internally.

NHS management can probably take great comfort from the fact that both the WannaCry attack and the ransomware attacks took place before the implementation of GDPR. They have still, however, had to face public scrutiny and political backlash over the situation.

On the one hand, it can be challenging to find sympathy for such widespread cybersecurity failings in an organisation like the NHS. On the other hand, it has to be acknowledged that demand for the skills of the UK’s IT security professionals is extremely high compared to the number of professionals available. Add to this that you want professionals specialised in the healthcare industry and you have to face the fact that the NHS is in direct competition with the private sector for their talents.

With statutory healthcare funding getting tighter and tighter, and cyber security attacks getting more and more sophisticated, the government may find itself obliged to ring-fence a specific proportion of the NHS budget to tackling IT security threats across the healthcare landscape. Private and charitable organisations must also prioritise security measures to prevent cyber attacks and deal with threats as they arise.